fuwafuwa
/
etherpad-lite
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #1609 from ether/dont-crash-bad-author 

SECURITY PATCH: Don't crash pad if bad author data is passed to the server
This commit is contained in:
John McLear 2013-03-13 16:08:21 -07:00
parent babb33d825 c30b0b72b8
commit 10231db103
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/node/handler/PadMessageHandler.js
View File

@ -550,11 +550,16 @@ function handleUserChanges(client, message)
throw "Attribute pool is missing attribute "+n+" for changeset "+changeset; throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
} }
}); });
// Validate all 'author' attribs to be the same value as the current user
wireApool.eachAttrib(function(type, value) {
if('author' == type && value != thisSession.author) throw "Trying to submit changes as another author"
})
} }
catch(e) catch(e)
{ {
// There is an error in this changeset, so just refuse it // There is an error in this changeset, so just refuse it
console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep"); console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
client.json.send({disconnect:"badChangeset"}); client.json.send({disconnect:"badChangeset"});
return; return;
} }