mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 16:36:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Merge branch 'master' into develop

Browse source
This commit is contained in:
Richard Hansen 2022-02-23 17:09:41 -05:00
commit 32c82917e3
3 changed files with 58 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/node/handler/PadMessageHandler.js
View file

@ -241,6 +241,14 @@ exports.handleMessage = async (socket, message) => {
thisSession.readonly =
padIds.readonly || !webaccess.userCanModify(thisSession.auth.padID, socket.client.request);
}
// Outside of the checks done by this function, message.padId must not be accessed because it is
// too easy to introduce a security vulnerability that allows malicious users to read or modify
// pads that they should not be able to access. Code should instead use
// sessioninfos[socket.id].padId if the real pad ID is needed or
// sessioninfos[socket.id].auth.padID if the original user-supplied pad ID is needed.
Object.defineProperty(message, 'padId', {get: () => {
throw new Error('message.padId must not be accessed (for security reasons)');
}});
const auth = thisSession.auth;
if (!auth) {
@ -330,7 +338,7 @@ exports.handleMessage = async (socket, message) => {
messageLogger.warn('Dropped message, COLLABROOM for readonly pad');
} else if (message.data.type === 'USER_CHANGES') {
stats.counter('pendingEdits').inc();
await padChannels.enqueue(message.padId, {socket, message});
await padChannels.enqueue(thisSession.padId, {socket, message});
} else if (message.data.type === 'USERINFO_UPDATE') {
await handleUserInfoUpdate(socket, message);
} else if (message.data.type === 'CHAT_MESSAGE') {
@ -1121,11 +1129,6 @@ const handleChangesetRequest = async (socket, message) => {
return;
}
if (message.padId == null) {
messageLogger.warn('Dropped message, changeset request has no padId!');
return;
}
if (message.data.granularity == null) {
messageLogger.warn('Dropped message, changeset request has no granularity!');
return;
@ -1151,16 +1154,16 @@ const handleChangesetRequest = async (socket, message) => {
const start = message.data.start;
const end = start + (100 * granularity);
const padIds = await readOnlyManager.getIds(message.padId);
const {padId} = sessioninfos[socket.id];
// build the requested rough changesets and send them back
try {
const data = await getChangesetInfo(padIds.padId, start, end, granularity);
const data = await getChangesetInfo(padId, start, end, granularity);
data.requestID = message.data.requestID;
socket.json.send({type: 'CHANGESET_REQ', data});
} catch (err) {
messageLogger.error(`Error while handling a changeset request ${message.data} ` +
`for ${padIds.padId}: ${err.stack || err}`);
`for ${padId}: ${err.stack || err}`);
}
};