reject websocket close codes above the valid range

[dxbjavid]

What do these changes do?

The websocket reader already rejects invalid close codes when it parses a CLOSE frame, but only at the low end of the range: a code under 3000 that isn't one of the registered ones raises a protocol error. There's no matching check at the top, so anything from 5000 up to 65535 is treated as a perfectly normal close code. :rfc:6455#section-7.4.1 only defines status codes up to 4999, so a peer can send a CLOSE frame carrying e.g. 65535 and we hand that straight through to the application as the close code rather than failing the connection. I noticed it while reading the close handling next to the lower-bound guard and the upper half just wasn't there. This adds the missing > 4999 check alongside the existing one so out-of-range codes are rejected the same way the low ones are.

Are there changes in behavior for the user?

A CLOSE frame whose status code is above 4999 now raises a protocol error instead of being delivered as a valid close. Codes in the permitted 1000-4999 range behave exactly as before.

Is it a substantial burden for the maintainers to support this?

No, it's a one-line addition to a check that already exists.

Related issue number

None. Spotted while reading through the close-frame handling.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes — N/A
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
• Add a new news fragment into the CHANGES/ folder

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.95%. Comparing base (eb4d960) to head (aaba51a).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12895   +/-   ##
=======================================
  Coverage   98.95%   98.95%           
=======================================
  Files         131      131           
  Lines       47824    47830    +6     
  Branches     2480     2480           
=======================================
+ Hits        47324    47330    +6     
  Misses        376      376           
  Partials      124      124           

Flag	Coverage Δ
Autobahn	22.29% <22.22%> (+<0.01%)	⬆️
CI-GHA	98.92% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.68% <100.00%> (+<0.01%)	⬆️
OS-Windows	97.05% <88.88%> (+<0.01%)	⬆️
OS-macOS	97.96% <88.88%> (+<0.01%)	⬆️
Py-3.10	98.17% <100.00%> (-0.01%)	⬇️
Py-3.11	98.42% <100.00%> (+<0.01%)	⬆️
Py-3.12	98.51% <100.00%> (+<0.01%)	⬆️
Py-3.13	98.49% <100.00%> (+<0.01%)	⬆️
Py-3.14	98.51% <100.00%> (+<0.01%)	⬆️
Py-3.14t	97.59% <88.88%> (-0.01%)	⬇️
Py-pypy-3.11	97.47% <100.00%> (+0.02%)	⬆️
VM-macos	97.96% <88.88%> (+<0.01%)	⬆️
VM-ubuntu	98.68% <100.00%> (+<0.01%)	⬆️
VM-windows	97.05% <88.88%> (+<0.01%)	⬆️
cython-coverage	38.08% <88.88%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 79 untouched benchmarks
⏩ 79 skipped benchmarks¹

---

_{Comparing dxbjavid:ws-close-code-upper-bound (aaba51a) with master (eb4d960)}

Footnotes

1. 79 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩