Commit e4841212 authored by Richard Braakman's avatar Richard Braakman Committed by Marcel Klehr

USERINFO_UPDATE: construct a new message for broadcast

The server was reusing the client's message when broadcasting userinfo
updates. This would allow a malicious client to insert arbitrary fields
into a message that the other clients would trust as coming from the
server. For example, adding "disconnect" or renaming other authors.

This commit fixes it by having the server construct a new message with
known fields before broadcasting.
parent 8ea3ee08
......@@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
authorManager.setAuthorName(author, message.data.userInfo.name);
var padId = sessioninfos[client.id].padId;
var infoMsg = {
type: "COLLABROOM",
data: {
// The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
type: "USER_NEWINFO",
userInfo: {
userId: author,
name: message.data.userInfo.name,
colorId: message.data.userInfo.colorId,
userAgent: "Anonymous",
ip: "127.0.0.1",
}
}
};
//set a null name, when there is no name set. cause the client wants it null
if(message.data.userInfo.name == null)
if(infoMsg.data.userInfo.name == null)
{
message.data.userInfo.name = null;
infoMsg.data.userInfo.name = null;
}
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
message.data.type = "USER_NEWINFO";
//Send the other clients on the pad the update message
for(var i in pad2sessions[padId])
{
if(pad2sessions[padId][i] != client.id)
{
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message);
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment