From 51d0d24941bbf3b50a31f3817d66eae9724e5cf3 Mon Sep 17 00:00:00 2001 From: Troy McCormick Date: Thu, 20 Dec 2012 10:01:14 -0800 Subject: [PATCH] Added an Origin Check... Not sure if this is the best way to accomplish it or not, but added an Origin check to make sure it matches where you are expecting your users to be coming from during the handshake. --- class.PHPWebSocket.php | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/class.PHPWebSocket.php b/class.PHPWebSocket.php index a20ea9d..abf8c71 100644 --- a/class.PHPWebSocket.php +++ b/class.PHPWebSocket.php @@ -35,7 +35,9 @@ class PHPWebSocket // the maximum length, in bytes, of a message's payload data, this is also internally limited to 2,147,483,647 const WS_MAX_MESSAGE_PAYLOAD_RECV = 500000; - + // check the Origin header matches a designated URL + const WS_ORIGIN_CHECK = true; + const WS_ORIGIN_URL = 'http://localhost/'; // internal @@ -608,8 +610,16 @@ function wsProcessClientHandshake($clientID, &$buffer) { for ($i=1; $i<$headersCount; $i++) { $parts = explode(':', $headers[$i]); if (!isset($parts[1])) return false; - - $headersKeyed[trim($parts[0])] = trim($parts[1]); + if ($parts[0] == 'Origin') { + $headersKeyed[trim($parts[0])] = str_replace('Origin: ', '', trim($headers[$i])); + } else { + $headersKeyed[trim($parts[0])] = trim($parts[1]); + } + } + + // check Origin matches, if requested to do so + if (self::WS_ORIGIN_CHECK) { + if ($headersKeyed['Origin'] != self::WS_ORIGIN_URL) return false; } // check Host header was received @@ -755,4 +765,4 @@ function unbind( $type='' ) else $this->wsOnEvents = array(); } } -?> \ No newline at end of file +?>