Commit e4841212 authored by Richard Braakman's avatar Richard Braakman Committed by Marcel Klehr

USERINFO_UPDATE: construct a new message for broadcast

The server was reusing the client's message when broadcasting userinfo
updates. This would allow a malicious client to insert arbitrary fields
into a message that the other clients would trust as coming from the
server. For example, adding "disconnect" or renaming other authors.

This commit fixes it by having the server construct a new message with
known fields before broadcasting.
parent 8ea3ee08
......@@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
var padId = sessioninfos[].padId;
var infoMsg = {
data: {
// The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
userInfo: {
userId: author,
userAgent: "Anonymous",
ip: "",
//set a null name, when there is no name set. cause the client wants it null
if( == null)
if( == null)
{ = null; = null;
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type = "USER_NEWINFO";
//Send the other clients on the pad the update message
for(var i in pad2sessions[padId])
if(pad2sessions[padId][i] !=
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment