Merge pull request #1035 from amtep/develop

Guard against malicious clients in USERINFO_UPDATE handling
This commit is contained in:
John McLear 2012-10-11 08:27:27 -07:00
commit d7ec050f34
1 changed files with 18 additions and 6 deletions

View File

@ -418,21 +418,33 @@ function handleUserInfoUpdate(client, message)
var padId = sessioninfos[client.id].padId; var padId = sessioninfos[client.id].padId;
//set a null name, when there is no name set. cause the client wants it null var infoMsg = {
if(message.data.userInfo.name == null) type: "COLLABROOM",
{ data: {
message.data.userInfo.name = null; // The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
} type: "USER_NEWINFO",
userInfo: {
userId: author,
name: message.data.userInfo.name,
colorId: message.data.userInfo.colorId,
userAgent: "Anonymous",
ip: "127.0.0.1",
}
}
};
//The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type //set a null name, when there is no name set. cause the client wants it null
message.data.type = "USER_NEWINFO"; if(infoMsg.data.userInfo.name == null)
{
infoMsg.data.userInfo.name = null;
}
//Send the other clients on the pad the update message //Send the other clients on the pad the update message
for(var i in pad2sessions[padId]) for(var i in pad2sessions[padId])
{ {
if(pad2sessions[padId][i] != client.id) if(pad2sessions[padId][i] != client.id)
{ {
socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message); socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
} }
} }
} }