libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-02-01 03:12:42 +01:00
Code Issues Projects Releases Wiki Activity

db/SecurityManager.js: accessing without session a public group pad no longer causes a crash

Browse source 
Steps to reproduce (via HTTP API):
1. create a group via createGroup()
2. create a group pad inside that group via createGroupPad()
3. make that pad public calling setPublicStatus(true)
4. access the pad via a clean web browser (with no sessions)
5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist

This was due to an overlook in 769933786c: "apierror: sessionID does not
exist" may be a legal condition if we are also visiting a public pad. The
function that could throw that error was sessionManager.getSessionInfo(), and
thus it needed to be inside the try...catch block.

Please note that calling getText() on the pad always return the pad contents,
*even for non-public pads*, because the API bypasses the security checks and
directly talks to the DB layer.

Fixes #3600.
This commit is contained in:
muxator 2019-12-26 00:30:43 +01:00
parent 0b3cf7cc96
commit 3b24c97d1e
1 changed files with 13 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/node/db/SecurityManager.js
View file

@ -99,13 +99,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
let sessionIDs = sessionCookie.split(','); let sessionIDs = sessionCookie.split(',');
// was previously iterated in parallel using async.forEach // was previously iterated in parallel using async.forEach
try {
let sessionInfos = await Promise.all(sessionIDs.map(sessionID => { let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
return sessionManager.getSessionInfo(sessionID); return sessionManager.getSessionInfo(sessionID);
})); }));
// seperated out the iteration of sessioninfos from the (parallel) fetches from the DB // seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
for (let sessionInfo of sessionInfos) { for (let sessionInfo of sessionInfos) {
try {
// is it for this group? // is it for this group?
if (sessionInfo.groupID != groupID) { if (sessionInfo.groupID != groupID) {
authLogger.debug("Auth failed: wrong group"); authLogger.debug("Auth failed: wrong group");
@ -123,6 +123,7 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
validSession = true; validSession = true;
sessionAuthor = sessionInfo.authorID; sessionAuthor = sessionInfo.authorID;
break; break;
}
} catch (err) { } catch (err) {
// skip session if it doesn't exist // skip session if it doesn't exist
if (err.message == "sessionID does not exist") { if (err.message == "sessionID does not exist") {
@ -132,7 +133,6 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
} }
} }
} }
}
let padExists = await p_padExists; let padExists = await p_padExists;