Merge pull request #1609 from ether/dont-crash-bad-author

SECURITY PATCH: Don't crash pad if bad author data is passed to the server
2013-03-13 16:08:21 -07:00 · 2013-03-13 16:08:21 -07:00 · 10231db103
parent babb33d825 c30b0b72b8
commit 10231db103
1 changed files with 6 additions and 1 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -550,11 +550,16 @@ function handleUserChanges(client, message)
            throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
          }
        });
+
+        // Validate all 'author' attribs to be the same value as the current user
+        wireApool.eachAttrib(function(type, value) {
+          if('author' == type && value != thisSession.author) throw "Trying to submit changes as another author"
+        })
      }
      catch(e)
      {
        // There is an error in this changeset, so just refuse it
-        console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep");
+        console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
        client.json.send({disconnect:"badChangeset"});
        return;
      }