Merge pull request #1035 from amtep/develop

Guard against malicious clients in USERINFO_UPDATE handling
This commit is contained in:
John McLear 2012-10-11 08:27:27 -07:00
commit d7ec050f34
1 changed files with 18 additions and 6 deletions

View File

@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
authorManager.setAuthorName(author, message.data.userInfo.name);
var padId = sessioninfos[client.id].padId;
var infoMsg = {
type: "COLLABROOM",
data: {
// The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
type: "USER_NEWINFO",
userInfo: {
userId: author,
name: message.data.userInfo.name,
colorId: message.data.userInfo.colorId,
userAgent: "Anonymous",
ip: "127.0.0.1",
}
}
};
//set a null name, when there is no name set. cause the client wants it null
if(message.data.userInfo.name == null)
if(infoMsg.data.userInfo.name == null)
{
message.data.userInfo.name = null;
infoMsg.data.userInfo.name = null;
}
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
message.data.type = "USER_NEWINFO";
//Send the other clients on the pad the update message
for(var i in pad2sessions[padId])
{
if(pad2sessions[padId][i] != client.id)
{
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message);
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
}
}
}