Commit e4841212 authored by Committed by Marcel Klehr
USERINFO_UPDATE: construct a new message for broadcast
The server was reusing the client's message when broadcasting userinfo updates. This would allow a malicious client to insert arbitrary fields into a message that the other clients would trust as coming from the server. For example, adding "disconnect" or renaming other authors. This commit fixes it by having the server construct a new message with known fields before broadcasting.
Showing with 18 additions and 6 deletions