public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1035 from amtep/develop 

Guard against malicious clients in USERINFO_UPDATE handling
pull/1059/head
John McLear 2012-10-11 08:27:27 -07:00
parent bedc51d2e3 85b44119ae
commit d7ec050f34
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/node/handler/PadMessageHandler.js
View File

@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
authorManager.setAuthorName(author, message.data.userInfo.name); authorManager.setAuthorName(author, message.data.userInfo.name);
var padId = sessioninfos[client.id].padId; var padId = sessioninfos[client.id].padId;
var infoMsg = {
type: "COLLABROOM",
data: {
// The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
type: "USER_NEWINFO",
userInfo: {
userId: author,
name: message.data.userInfo.name,
colorId: message.data.userInfo.colorId,
userAgent: "Anonymous",
ip: "127.0.0.1",
}
}
};
//set a null name, when there is no name set. cause the client wants it null //set a null name, when there is no name set. cause the client wants it null
if(message.data.userInfo.name == null) if(infoMsg.data.userInfo.name == null)
{ {
message.data.userInfo.name = null; infoMsg.data.userInfo.name = null;
} }
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
message.data.type = "USER_NEWINFO";
//Send the other clients on the pad the update message //Send the other clients on the pad the update message
for(var i in pad2sessions[padId]) for(var i in pad2sessions[padId])
{ {
if(pad2sessions[padId][i] != client.id) if(pad2sessions[padId][i] != client.id)
{ {
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message); socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
} }
} }
} }