Security issues with hyper versions < 0.14.10

[1c3t3a]

Hi there! I am using the websocket crate in one of my projects and I got a hint that I am depending on hyper version 0.10.6, which is vulnerable to RUSTSEC-2021-0079 and RUSTSEC-2021-0078. As it turns out the dependency was introduced through this library. I've looked into this and a potential fix would be to bump the hyper version to >=0.14.10, but this would introduce quite a few changes to this library as hyper changed it's whole header API (and more).

[vi]

It is hard to upgrade rust-websocket from hyper 0.10 to 0.12 (and I assume to further versions as well). Hyper got significant API redesign after 0.10.

Does tungstenite (or its async versions) suit your needs? If no, what rust-websocket features not present in tungstenite do you need? If yes, you should probably use tungstenite instead, as rust-websocket is almost unmaintained.

---

As for RUSTSEC-2021-0079 and RUSTSEC-2021-0078 specifically, I'm not sure those specific headers apply to Websockets. rust-websocket-only usage of Hyper 0.10 may or may not be vulnerable - needs additional research.

[1c3t3a]

I See... Yeah we're thinking about switching to tokio-tungstenite (as explained in the other issue). But it would be nice to know if this introduces a risk for the users of rust-socketio. Where would I need to look it up in code if I want to find out?

[seanpianka]

In my case, I need websocket because headless_chrome is written using it. I assume the list of breaking changes between Hyper 0.10 and 0.15 is quite long though. I'll look into how much effort it'd be to port headless_chrome to tungstenite.