Bug#976437: libwebkit2gtk-4.0-37: Websocket sends appens extra bytes to messages

Claudio Saavedra csaavedra at igalia.com
Mon Dec 7 13:12:57 GMT 2020

On Mon, 2020-12-07 at 12:46 +0100, Alberto Garcia wrote:

> Do I understand correctly that this is due to bugs in libsoup then?

Yes. libsoup versions previous to 2.68 don't have a WebSocket
implementation that had been thoroughly tested (or tested at all) with
WebKit. If you have a WebKit version that uses libsoup's websockets,
you MUST use 2.68 or newer. 

> If this was working in earlier versions of webkit I only see two
> options:
> - Reverting the changes in WebKit (probably  
> https://trac.webkit.org/changeset/248099/webkit)
> - Updating libsoup, or backporting the relevant fixes (if libsoup is
>   indeed buggy).

I think in this case the easiest is to actually backport the libsoup
bug fixes. It's also what makes more sense from a security perspective,
as those are fixes to the websocket implementation in libsoup that is
probably used by other applications as well. Reverting the WebKit
changeset will not fix libsoup's bugs.

Note that there is also new WebSockets API for extensions added to
libsoup at that point, but I think most if not all of the bug fixes
might be easily backported without introducing the new API.

Also, note that there might be other patches in WebKit that relate to
this as subsequent code fixes. I don't think reverting this in WK will
be straightforward.


More information about the Pkg-webkit-maintainers mailing list