malibuworkcrew
commented
9 years ago Incidentally this can cause any HTTP/1.0 call without a host on its header to hang indefinitely. Making socko very vulnerable to DDoS.
Open tkellogg opened 9 years ago
malibuworkcrew
commented
9 years ago Incidentally this can cause any HTTP/1.0 call without a host on its header to hang indefinitely. Making socko very vulnerable to DDoS.
I found this because our production environment is logging a lot of these exceptions. It appears that some clients are sending malformed requests to initiate a WebSocket session. Socko seems to report this as 500 and logs an exception, however it should report 400.
Specifically, the problem is on this line: https://github.com/mashupbots/socko/blob/master/socko-webserver/src/main/scala/org/mashupbots/socko/events/HttpRequestMessage.scala#L129
From glancing through Netty source code, it looks like
getHostwill returnnullwhen theHostheader is absent. I was going to send a pull request for this issue but I'm not familiar enough with Socko to know the proper place to check for & report the error.