Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: socketio/engine.io
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 9534355
Choose a base ref
...
head repository: socketio/engine.io
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: c6315af
Choose a head ref
  • 2 commits
  • 6 files changed
  • 1 contributor

Commits on Jan 11, 2022

  1. fix: properly handle invalid data sent by a malicious websocket client 

    **IMPORTANT SECURITY FIX**

A malicious client could send a specially crafted HTTP request,
triggering an uncaught exception and killing the Node.js process:

> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
>   at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
>   at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
>   at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
>   at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by [1], included in `[email protected]`, so
previous releases are not impacted.

[1]: f3c291f

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Backported from master: c0e194d
    @darrachequesne
    darrachequesne committed Jan 11, 2022
    Configuration menu
    Copy the full SHA
    a70800d View commit details
    Browse the repository at this point in the history

  2. chore(release): 4.1.2 

    Diff: 4.1.1...4.1.2
    @darrachequesne
    darrachequesne committed Jan 11, 2022
    Configuration menu
    Copy the full SHA
    c6315af View commit details
    Browse the repository at this point in the history
Loading