diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/imports/qmlwebsockets/qqmlwebsocket.h | 2 | ||||
-rw-r--r-- | src/websockets/qdefaultmaskgenerator_p.cpp | 18 | ||||
-rw-r--r-- | src/websockets/qmaskgenerator.cpp | 2 | ||||
-rw-r--r-- | src/websockets/qwebsocket.cpp | 4 | ||||
-rw-r--r-- | src/websockets/qwebsocket_p.cpp | 2 | ||||
-rw-r--r-- | src/websockets/qwebsocketserver.h | 3 |
6 files changed, 15 insertions, 16 deletions
diff --git a/src/imports/qmlwebsockets/qqmlwebsocket.h b/src/imports/qmlwebsockets/qqmlwebsocket.h index c3a808f..8db435d 100644 --- a/src/imports/qmlwebsockets/qqmlwebsocket.h +++ b/src/imports/qmlwebsockets/qqmlwebsocket.h @@ -54,7 +54,6 @@ class QQmlWebSocket : public QObject, public QQmlParserStatus Q_DISABLE_COPY(QQmlWebSocket) Q_INTERFACES(QQmlParserStatus) - Q_ENUMS(Status) Q_PROPERTY(QUrl url READ url WRITE setUrl NOTIFY urlChanged) Q_PROPERTY(Status status READ status NOTIFY statusChanged) Q_PROPERTY(QString errorString READ errorString NOTIFY errorStringChanged) @@ -73,6 +72,7 @@ public: Closed = 3, Error = 4 }; + Q_ENUM(Status) QUrl url() const; void setUrl(const QUrl &url); diff --git a/src/websockets/qdefaultmaskgenerator_p.cpp b/src/websockets/qdefaultmaskgenerator_p.cpp index 1035e8f..7dc0cee 100644 --- a/src/websockets/qdefaultmaskgenerator_p.cpp +++ b/src/websockets/qdefaultmaskgenerator_p.cpp @@ -48,7 +48,7 @@ malicious scripts to attack bad behaving proxies. For more information about the importance of good masking, see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}. - The default mask generator uses the cryptographically insecure qrand() function. + The default mask generator uses the reasonably secure QRandomGenerator::get32() function. The best measure against attacks mentioned in the document above, is to use QWebSocket over a secure connection (\e wss://). In general, always be careful to not have 3rd party script access to @@ -58,8 +58,7 @@ */ #include "qdefaultmaskgenerator_p.h" -#include <QDateTime> -#include <limits> +#include <QRandomGenerator> QT_BEGIN_NAMESPACE @@ -83,25 +82,26 @@ QDefaultMaskGenerator::~QDefaultMaskGenerator() } /*! - Seeds the QDefaultMaskGenerator using qsrand(). - When seed() is not called, no seed is used at all. - \internal */ bool QDefaultMaskGenerator::seed() Q_DECL_NOEXCEPT { - qsrand(static_cast<uint>(QDateTime::currentMSecsSinceEpoch())); return true; } /*! - Generates a new random mask using the insecure qrand() method. + Generates a new random mask using the insecure QRandomGenerator::get32() method. \internal */ quint32 QDefaultMaskGenerator::nextMask() Q_DECL_NOEXCEPT { - return quint32((double(qrand()) / RAND_MAX) * std::numeric_limits<quint32>::max()); + quint32 value = QRandomGenerator::get32(); + while (Q_UNLIKELY(value == 0)) { + // a mask of zero has a special meaning + value = QRandomGenerator::get32(); + } + return value; } QT_END_NAMESPACE diff --git a/src/websockets/qmaskgenerator.cpp b/src/websockets/qmaskgenerator.cpp index 064ada2..56d1223 100644 --- a/src/websockets/qmaskgenerator.cpp +++ b/src/websockets/qmaskgenerator.cpp @@ -50,7 +50,7 @@ malicious scripts from attacking badly behaving proxies. For more information about the importance of good masking, see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}. - By default QWebSocket uses the cryptographically insecure qrand() function. + By default QWebSocket uses the reasonably secure QRandomGenerator::get32() function. The best measure against attacks mentioned in the document above, is to use QWebSocket over a secure connection (\e wss://). In general, always be careful to not have 3rd party script access to diff --git a/src/websockets/qwebsocket.cpp b/src/websockets/qwebsocket.cpp index ba343e4..30bb39d 100644 --- a/src/websockets/qwebsocket.cpp +++ b/src/websockets/qwebsocket.cpp @@ -63,8 +63,8 @@ In that case, non-secure WebSocket connections fail. The best way to mitigate against this problem is to use WebSocket over a secure connection. - \warning To generate masks, this implementation of WebSockets uses the cryptographically - insecure qrand() function. + \warning To generate masks, this implementation of WebSockets uses the reasonably + secure QRandomGenerator::get32() function. For more information about the importance of good masking, see \l {"Talking to Yourself for Fun and Profit" by Lin-Shung Huang et al}. The best measure against attacks mentioned in the document above, diff --git a/src/websockets/qwebsocket_p.cpp b/src/websockets/qwebsocket_p.cpp index bee2afa..1d23c84 100644 --- a/src/websockets/qwebsocket_p.cpp +++ b/src/websockets/qwebsocket_p.cpp @@ -1014,7 +1014,7 @@ void QWebSocketPrivate::processHandshake(QTcpSocket *pSocket) if (!ok) errorDescription = QWebSocket::tr("Accept-Key received from server %1 does not match the client key %2.") - .arg(acceptKey).arg(accept); + .arg(acceptKey, accept); } else { errorDescription = QWebSocket::tr("QWebSocketPrivate::processHandshake: Invalid statusline in response: %1.") diff --git a/src/websockets/qwebsocketserver.h b/src/websockets/qwebsocketserver.h index f846290..9dc286b 100644 --- a/src/websockets/qwebsocketserver.h +++ b/src/websockets/qwebsocketserver.h @@ -65,8 +65,6 @@ class Q_WEBSOCKETS_EXPORT QWebSocketServer : public QObject Q_DISABLE_COPY(QWebSocketServer) Q_DECLARE_PRIVATE(QWebSocketServer) - Q_ENUMS(SslMode) - public: enum SslMode { #ifndef QT_NO_SSL @@ -74,6 +72,7 @@ public: #endif NonSecureMode = 1 }; + Q_ENUM(SslMode) explicit QWebSocketServer(const QString &serverName, SslMode secureMode, QObject *parent = Q_NULLPTR); |