Reading data from a socket, considerations for robustness and security

Posted by w.brian on Stack Overflow See other posts from Stack Overflow or by w.brian
Published on 2011-03-16T16:07:56Z Indexed on 2011/03/16 16:10 UTC
Read the original article Hit count: 305

Filed under:

http

|

sockets

|

tcp

|

web-security

|

socketserver

I am writing a socket server that will implement small portions of the HTTP and the WebSocket protocol, and I'm wondering what I need to take into consideration in order to make it robust/secure. This is my first time writing a socket-based application so please excuse me if any of my questions are particularly naive. Here goes:

Is it wrong to assume that you've received an entire HTTP request (WebSocket request, etc) if you've read all data available from the socket? Likewise, is it wrong to assume you've only received one request? Is TCP responsible for making sure I'm getting the "message" all at once as sent by the client? Or do I have to manually detect the beginning and end of each "message" for whatever protocol I'm implementing?

Regarding security: What, in general, should I be aware of? Are there any common pitfalls when implementing something like this?

As always, any feedback is greatly appreciated.

© Stack Overflow or respective owner

Related posts about http

the size of apt-get update lists is too big

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I ran a clean install to Ubuntu 12.04 and so far everything has been working well. I especially commend the Ubuntu team for this release. I only noticed that the size of repository update is now about ~13MB. Normally, it is about this size for the first time you run apt-get update after a clean install… >>> More
Cannot update, apt-get cannot fetch index files

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a fresh install of Ubuntu 11.10 from the iso 'ubuntu-11.10-desktop-amd64.iso'. I installed this in VMWare Fusion 4.1.1 running on OSX 10.7.3. When setting up the VM, I allowed easy install to take care of creating my user and installing VMWare tools. No problems during installation, everything… >>> More
Quantal: Broken apt-index, cant fix dependencies

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I can't seem to add/remove/update packages Ubuntu software update has a notice about partial upgrades but fails Seems to be similar to this problem $ sudo apt-get update Ign http://archive.ubuntu.com quantal InRelease Ign http://security.ubuntu.com precise-security InRelease Ign… >>> More
12.04: Apt-Get Update: failure to fetch; can't connect to any sources

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I realize there are dozens of "apt-get update: failure to fetch" questions (I read through all I could find), but my present circumstance is unique to 12.04 and it affects all sources; not just launchpad. Additionally, I've tried several different servers in Europe and the U.S. as well as the "main… >>> More
How can I remove the Translation entries in apt?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
This is the output of aptitude update: Ign http://archive.canonical.com natty InRelease Ign http://extras.ubuntu.com natty InRelease Ign http://dl.google.com stable InRelease Ign http://security.ubuntu.com natty-security InRelease Hit http://deb.torproject.org natty InRelease Get:1 http://dl.google… >>> More

Related posts about sockets

Performance implications of Synchronous Sockets vs Asynchronous Sockets

as seen on Stack Overflow - Search for 'Stack Overflow'
We are trying to build an SMTP Server to receive mail notifications from various clients over internet. As each of the communication will be longer and it needs to log everything, doing this Asynchronous way is little challenging as well as by using Socket's Asynchronous methods we are not sure of… >>> More
Multiple INET sockets (mulple IP's too) connected to UNIX sockets

as seen on Server Fault - Search for 'Server Fault'
HOST = same host all the time, accepts multiple connection. I have a dedicated server and I will buy extra IP's. Socket 1 connects to HOST:PORT, from IP-1 Socket 2 connects to HOST:PORT, from IP-1 Socket 3 connects to HOST:PORT, from IP-1 Socket 4 connects to HOST:PORT, from IP-2 Socket 5 connects… >>> More
Multiple INET sockets (mulple IP's too) connected to UNIX sockets

as seen on Stack Overflow - Search for 'Stack Overflow'
HOST = same host all the time, accepts multiple connection. I have a dedicated server and I will buy extra IP's. Socket 1 connects to HOST:PORT, from IP-1 Socket 2 connects to HOST:PORT, from IP-1 Socket 3 connects to HOST:PORT, from IP-1 Socket 4 connects to HOST:PORT, from IP-2 Socket 5 connects… >>> More
Do WebSockets have exclusive access to their sockets?

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm curious to know if, after a WebSocket has been established (after having received the proper handshake from a server that supports them), whether or not the TCP socket used by the "WebSocket connection" is used exclusively by the WebSocket, or if the browser may still make regular HTTP requests… >>> More
What Parallel computing APIs make good use of sockets?

as seen on Stack Overflow - Search for 'Stack Overflow'
My program uses sockets, what Parallel computing APIs could I use that would help me without obligating me to go from sockets to anything else? When we are on a cluster with a special, non-socket infrastructure system this API would emulate something like sockets but using that infrastructure (so… >>> More