fix: check WebSocket MASK bit before reading masking key (RFC 6455 §5.2)

AAtomical · AAtomical · commit db3bf9990f68 · 2026-05-09T15:22:38.000-04:00
diff --git a/code/default/lib/noarch/simple_http_server.py b/code/default/lib/noarch/simple_http_server.py
@@ -281,15 +281,25 @@ def WebSocket_receive_worker(self):
                 if h is None or len(h) == 0:
                     break
 
-                length = ord(h[1]) & 127
+                # RFC 6455 §5.2: bit 7 of byte 2 is the MASK flag.
+                # If MASK=1 a 4-byte masking key follows the (extended) length;
+                # if MASK=0 the payload begins immediately — no key is present.
+                is_masked = bool(ord(h[1]) & 0x80)
+                length = ord(h[1]) & 0x7F
                 if length == 126:
                     length = struct.unpack(">H", self.rfile.read(2))[0]
                 elif length == 127:
                     length = struct.unpack(">Q", self.rfile.read(8))[0]
-                masks = [ord(byte) for byte in self.rfile.read(4)]
-                decoded = ""
-                for char in self.rfile.read(length):
-                    decoded += chr(ord(char) ^ masks[len(decoded) % 4])
+
+                if is_masked:
+                    masks = [ord(byte) for byte in self.rfile.read(4)]
+                    decoded = "".join(
+                        chr(ord(char) ^ masks[i % 4])
+                        for i, char in enumerate(self.rfile.read(length))
+                    )
+                else:
+                    decoded = "".join(chr(ord(c)) for c in self.rfile.read(length))
+
                 try:
                     self.WebSocket_on_message(decoded)
                 except Exception as e:
