(websocket client + server) WebSocketMessage class tweak to fix unsafe patterns

* Fix unsafe calls and safeguard WebSocketMessage from being called w/
temporaries

* Use unnamed namespace to express internal linkage

README.md

@@ -132,6 +132,7 @@ To check the performance of a websocket library, you can look at the [autoroute]
 | Windows           | Disabled          | None              | [![Build2][5]][0] |
 | UWP               | Disabled          | None              | [![Build2][6]][0] |
 | Linux             | OpenSSL           | Address Sanitizer | [![Build2][7]][0] |
+| Mingw             | Disabled          | None              | [![Build2][8]][0] |
 
 * ASAN fails on Linux because of a known problem, we need a 
 * Some tests are disabled on Windows/UWP because of a pathing problem
@@ -145,4 +146,5 @@ To check the performance of a websocket library, you can look at the [autoroute]
 [5]: https://github.com/machinezone/IXWebSocket/workflows/windows/badge.svg
 [6]: https://github.com/machinezone/IXWebSocket/workflows/uwp/badge.svg
 [7]: https://github.com/machinezone/IXWebSocket/workflows/linux_asan/badge.svg
+[8]: https://github.com/machinezone/IXWebSocket/workflows/unittest_windows_gcc/badge.svg
 

docs/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All changes to this project will be documented in this file.
 
+## [11.2.8] - 2021-06-03
+
+(websocket client + server) WebSocketMessage class tweak to fix unsafe patterns
+
+## [11.2.7] - 2021-05-27
+
+(websocket server) Handle and accept firefox browser special upgrade value (keep-alive, Upgrade)
+
 ## [11.2.6] - 2021-05-18
 
 (Windows) move EINVAL (re)definition from IXSocket.h to IXNetSystem.h (fix #289)

ixwebsocket/IXWebSocket.cpp

@@ -15,6 +15,12 @@
 #include <cmath>
 
 
+namespace
+{
+    const std::string emptyMsg;
+} // namespace
+
+
 namespace ix
 {
     OnTrafficTrackerCallback WebSocket::_onTrafficTrackerCallback = nullptr;
@@ -38,7 +44,7 @@ namespace ix
             [this](uint16_t code, const std::string& reason, size_t wireSize, bool remote) {
                 _onMessageCallback(
                     ix::make_unique<WebSocketMessage>(WebSocketMessageType::Close,
-                                                      "",
+                                                      emptyMsg,
                                                       wireSize,
                                                       WebSocketErrorInfo(),
                                                       WebSocketOpenInfo(),
@@ -217,7 +223,7 @@ namespace ix
 
         _onMessageCallback(ix::make_unique<WebSocketMessage>(
             WebSocketMessageType::Open,
-            "",
+            emptyMsg,
             0,
             WebSocketErrorInfo(),
             WebSocketOpenInfo(status.uri, status.headers, status.protocol),
@@ -251,7 +257,7 @@ namespace ix
 
         _onMessageCallback(
             ix::make_unique<WebSocketMessage>(WebSocketMessageType::Open,
-                                              "",
+                                              emptyMsg,
                                               0,
                                               WebSocketErrorInfo(),
                                               WebSocketOpenInfo(status.uri, status.headers),
@@ -338,7 +344,7 @@ namespace ix
                 connectErr.http_status = status.http_status;
 
                 _onMessageCallback(ix::make_unique<WebSocketMessage>(WebSocketMessageType::Error,
-                                                                     "",
+                                                                     emptyMsg,
                                                                      0,
                                                                      connectErr,
                                                                      WebSocketOpenInfo(),

ixwebsocket/IXWebSocketHandshake.cpp

@@ -204,6 +204,9 @@ namespace ix
         // Check the value of the connection field
         // Some websocket servers (Go/Gorilla?) send lowercase values for the
         // connection header, so do a case insensitive comparison
+        //
+        // See https://github.com/apache/thrift/commit/7c4bdf9914fcba6c89e0f69ae48b9675578f084a
+        //
         if (!insensitiveStringCompare(headers["connection"], "Upgrade"))
         {
             std::stringstream ss;
@@ -296,7 +299,8 @@ namespace ix
             return sendErrorResponse(400, "Missing Upgrade header");
         }
 
-        if (!insensitiveStringCompare(headers["upgrade"], "WebSocket"))
+        if (!insensitiveStringCompare(headers["upgrade"], "WebSocket") &&
+            headers["Upgrade"] != "keep-alive, Upgrade") // special case for firefox
         {
             return sendErrorResponse(400,
                                      "Invalid Upgrade header, "

ixwebsocket/IXWebSocketMessage.h

@@ -42,6 +42,18 @@ namespace ix
         {
             ;
         }
+
+        /**
+         * @brief Deleted overload to prevent binding `str` to a temporary, which would cause
+         * undefined behavior since class members don't extend lifetime beyond the constructor call.
+         */
+        WebSocketMessage(WebSocketMessageType t,
+                         std::string&& s,
+                         size_t w,
+                         WebSocketErrorInfo e,
+                         WebSocketOpenInfo o,
+                         WebSocketCloseInfo c,
+                         bool b = false) = delete;
     };
 
     using WebSocketMessagePtr = std::unique_ptr<WebSocketMessage>;

ixwebsocket/IXWebSocketVersion.h

@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "11.2.6"
+#define IX_WEBSOCKET_VERSION "11.2.8"