mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-01-20 14:39:53 +01:00
USERINFO_UPDATE: construct a new message for broadcast
The server was reusing the client's message when broadcasting userinfo updates. This would allow a malicious client to insert arbitrary fields into a message that the other clients would trust as coming from the server. For example, adding "disconnect" or renaming other authors. This commit fixes it by having the server construct a new message with known fields before broadcasting.
This commit is contained in:
parent
8ea3ee080f
commit
e4841212a6
1 changed files with 18 additions and 6 deletions
|
@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
|
|||
authorManager.setAuthorName(author, message.data.userInfo.name);
|
||||
|
||||
var padId = sessioninfos[client.id].padId;
|
||||
|
||||
var infoMsg = {
|
||||
type: "COLLABROOM",
|
||||
data: {
|
||||
// The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
|
||||
type: "USER_NEWINFO",
|
||||
userInfo: {
|
||||
userId: author,
|
||||
name: message.data.userInfo.name,
|
||||
colorId: message.data.userInfo.colorId,
|
||||
userAgent: "Anonymous",
|
||||
ip: "127.0.0.1",
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
//set a null name, when there is no name set. cause the client wants it null
|
||||
if(message.data.userInfo.name == null)
|
||||
if(infoMsg.data.userInfo.name == null)
|
||||
{
|
||||
message.data.userInfo.name = null;
|
||||
infoMsg.data.userInfo.name = null;
|
||||
}
|
||||
|
||||
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
|
||||
message.data.type = "USER_NEWINFO";
|
||||
|
||||
//Send the other clients on the pad the update message
|
||||
for(var i in pad2sessions[padId])
|
||||
{
|
||||
if(pad2sessions[padId][i] != client.id)
|
||||
{
|
||||
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message);
|
||||
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue