search

OpenSIPS / opensips

OpenSIPS is a GPL implementation of a multi-functionality SIP Server that targets to deliver a high-level technical solution (performance, security and quality) to be used in professional SIP server platforms.
https://opensips.org
Other
1.25k stars 575 forks source link

[BUG]Websocket handshake fails if missing Origin header #2342

Open robdyck opened 3 years ago

robdyck commented 3 years ago

OpenSIPS version you are running

version: opensips 3.1.1 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 229ec0793
main.c compiled on 10:24:50 Dec  5 2020 with gcc 10

Describe the bug

According to rfc 6455 the origin header in a websocket handshake is always present when the handshake originates from a web browser but otherwise is optional and not really useful. In a SIP context the "origin" is present when a UA is running in a web browser eg: sipified WebRTC.

A problem arises when a non-browser UA attempts a handshake eg: baresip. Opensips arbitrarily drops the connection although for this use case "origin" is not required.

There does not appear to be any origin filtering in tls_mgm. Origin could simply be ignored and the connection accepted. On the other hand filtering should be done in the case of browser based UAs as per the RFC. eg: https://example.com. Origin is supposed to prevent session hijacking in the browser.

If the header is missing just accept the connection and assume a non-browser origin.

To Reproduce

Configure baresip to register via websocket and start it.

Expected behavior

Baresip registers successfully.

Relevant System Logs


**OS/environment information**Dec 13 11:58:05 [2196638] DBG:proto_wss:ws_server_handshake: We're releasing the connection in state 0 
Dec 13 11:58:05 [2196638] DBG:core:parse_headers: flags=ffffffffffffffff
Dec 13 11:58:05 [2196638] DBG:core:get_hdr_field: found end of header
Dec 13 11:58:05 [2196638] ERROR:proto_wss:ws_parse_req_handshake: Origin header not present!
Dec 13 11:58:05 [2196638] DBG:proto_wss:ws_server_handshake: cannot parse handshake
Dec 13 11:58:05 [2196638] DBG:proto_wss:tls_update_fd: New fd is 4
Dec 13 11:58:05 [2196638] DBG:proto_wss:tls_write: write was successful (55 bytes)
Dec 13 11:58:05 [2196638] ERROR:proto_wss:wss_read_req: cannot complete WebSocket handshake

Additional context

razvancrainea commented 3 years ago

Perhaps we shall use a switch as a mod param to force or not the Origin header.

robdyck commented 3 years ago

For my own testing, I simply eliminated references to that header. Opensips does nothing with it anyway. It works fine whether the connection is from a browser or not.

razvancrainea commented 3 years ago

I've just pushed a commit to add the reuqire_origin parameter, that can be turned off. The parameter is available for both proto_ws and proto_wss modules. Please give it a try and let us know if it serves your purpose.