From 048d55a64c4fe92cc17bf7e75713355f9baf077e Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sat, 12 Oct 2013 18:41:48 +0200
Subject: [PATCH 1/2] Don't create new pad if a non-existant read-only pad is
 accessed

fixes #1848
---
 src/node/db/ReadOnlyManager.js | 32 +++++++++++++-------------------
 src/node/db/SecurityManager.js |  5 +++++
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/src/node/db/ReadOnlyManager.js b/src/node/db/ReadOnlyManager.js
index b135e613..dd1e478e 100644
--- a/src/node/db/ReadOnlyManager.js
+++ b/src/node/db/ReadOnlyManager.js
@@ -77,28 +77,22 @@ exports.getPadId = function(readOnlyId, callback)
  * returns a the padId and readonlyPadId in an object for any id
  * @param {String} padIdOrReadonlyPadId read only id or real pad id
  */
-exports.getIds = function(padIdOrReadonlyPadId, callback) {
-  var handleRealPadId = function () {
-    exports.getReadOnlyId(padIdOrReadonlyPadId, function (err, value) {
+exports.getIds = function(id, callback) {
+  if (id.indexOf("r.") == 0)
+    exports.getPadId(id, function (err, value) {
+      if(ERR(err, callback)) return;
+      callback(null, {
+        readOnlyPadId: id,
+        padId: value, // Might be null, if this is an unknown read-only id
+        readonly: true
+      });
+    });
+  else
+    exports.getReadOnlyId(id, function (err, value) {
       callback(null, {
         readOnlyPadId: value,
-        padId: padIdOrReadonlyPadId,
+        padId: id,
         readonly: false
       });
     });
-  }
-
-  if (padIdOrReadonlyPadId.indexOf("r.") != 0)
-    return handleRealPadId();
-
-  exports.getPadId(padIdOrReadonlyPadId, function (err, value) {
-    if(ERR(err, callback)) return;
-    if (value == null)
-      return handleRealPadId();
-    callback(null, {
-      readOnlyPadId: padIdOrReadonlyPadId,
-      padId: value,
-      readonly: true
-    });
-  });
 }
diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index 06e58bc4..355603f3 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -41,6 +41,11 @@ var authLogger = log4js.getLogger("auth");
 exports.checkAccess = function (padID, sessionCookie, token, password, callback)
 { 
   var statusObject;
+  
+  if(!padID) {
+    callback(null, {accessStatus: "deny"});
+    return;
+  }
 
   // a valid session is required (api-only mode)
   if(settings.requireSession)

From aa77a615da1315e49b95dfa916062799d73d0376 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sat, 12 Oct 2013 18:51:04 +0200
Subject: [PATCH 2/2] Drop messages from unknown connections

fixes #1908
---
 src/node/handler/PadMessageHandler.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index f01e9053..0dd325e4 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -144,15 +144,16 @@ exports.handleDisconnect = function(client)
  */
 exports.handleMessage = function(client, message)
 { 
-
   if(message == null)
   {
-    messageLogger.warn("Message is null!");
     return;
   }
   if(!message.type)
   {
-    messageLogger.warn("Message has no type attribute!");
+    return;
+  }
+  if(!sessioninfos[client.id]) {
+    messageLogger.warn("Dropped message from an unknown connection.")
     return;
   }