libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-31 19:02:59 +01:00
Code Issues Projects Releases Wiki Activity

PadMessageHandler: prohibit reading of message.data.padId

Browse source
This commit is contained in:
webzwo0i 2022-02-24 00:11:08 +01:00
parent 32c82917e3
commit 1d395bf70b
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/node/handler/PadMessageHandler.js
View file

@ -250,6 +250,12 @@ exports.handleMessage = async (socket, message) => {
throw new Error('message.padId must not be accessed (for security reasons)'); throw new Error('message.padId must not be accessed (for security reasons)');
}}); }});
if (message.data) {
Object.defineProperty(message.data, 'padId', {get: () => {
throw new Error('message.data.padId must not be accessed (for security reasons)');
}});
}
const auth = thisSession.auth; const auth = thisSession.auth;
if (!auth) { if (!auth) {
const ip = settings.disableIPlogging ? 'ANONYMOUS' : (socket.request.ip || '<unknown>'); const ip = settings.disableIPlogging ? 'ANONYMOUS' : (socket.request.ip || '<unknown>');