mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

added a security control at socketiorouter, pad security is now fully enforced

Browse source
This commit is contained in:
Peter 'Pita' Martischka 2011-08-16 15:53:09 +01:00
parent 317370da2c
commit 3ff34f50d1
3 changed files with 82 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

84
node/handler/SocketIORouter.js
View file

@ -21,6 +21,7 @@
var log4js = require('log4js');
var messageLogger = log4js.getLogger("message");
var securityManager = require("../db/SecurityManager");
/**
* Saves all components
@ -53,11 +54,13 @@ exports.setSocketIO = function(_socket)
socket.sockets.on('connection', function(client)
{
var clientAuthorized = false;
//wrap the original send function to log the messages
client._send = client.send;
client.send = function(message)
{
messageLogger.info("to " + client.id + ": " + JSON.stringify(message));
messageLogger.info("to " + client.id + ": " + stringifyWithoutPassword(message));
client._send(message);
}
@ -67,34 +70,72 @@ exports.setSocketIO = function(_socket)
components[i].handleConnect(client);
}
client.on('message', function(message)
//try to handle the message of this client
function handleMessage(message)
{
if(message.protocolVersion && message.protocolVersion != 2)
{
messageLogger.warn("Protocolversion header is not correct:" + JSON.stringify(message));
return;
}
//route this message to the correct component, if possible
if(message.component && components[message.component])
{
messageLogger.info("from " + client.id + ": " + JSON.stringify(message));
//check if component is registered in the components array
if(components[message.component])
{
messageLogger.info("from " + client.id + ": " + stringifyWithoutPassword(message));
components[message.component].handleMessage(client, message);
}
}
else
{
messageLogger.error("Can't route the message:" + JSON.stringify(message));
messageLogger.error("Can't route the message:" + stringifyWithoutPassword(message));
}
}
client.on('message', function(message)
{
if(message.protocolVersion && message.protocolVersion != 2)
{
messageLogger.warn("Protocolversion header is not correct:" + stringifyWithoutPassword(message));
return;
}
//client is authorized, everything ok
if(clientAuthorized)
{
handleMessage(message);
}
//try to authorize the client
else
{
//this message has everything to try an authorization
if(message.padId !== undefined && message.sessionID !== undefined && message.token !== undefined && message.password !== undefined)
{
securityManager.checkAccess (message.padId, message.sessionID, message.token, message.password, function(err, statusObject)
{
if(err) throw err;
//access was granted, mark the client as authorized and handle the message
if(statusObject.accessStatus == "grant")
{
clientAuthorized = true;
handleMessage(message);
}
//no access, send the client a message that tell him why
else
{
messageLogger.warn("Authentication try failed:" + stringifyWithoutPassword(message));
client.json.send({accessStatus: statusObject.accessStatus});
}
});
}
//drop message
else
{
messageLogger.warn("Droped message cause of bad permissions:" + stringifyWithoutPassword(message));
}
}
});
client.on('disconnect', function()
{
//tell all components about this disconnect
//tell all components about this disconnect
for(var i in components)
{
components[i].handleDisconnect(client);
@ -102,3 +143,20 @@ exports.setSocketIO = function(_socket)
});
});
}
//returns a stringified representation of a message, removes the password
//this ensures there are no passwords in the log
function stringifyWithoutPassword(message)
{
var newMessage = {};
for(var i in message)
{
if(i == "password" && message[i] != null)
newMessage["password"] = "xxx";
else
newMessage[i]=message[i];
}
return JSON.stringify(newMessage);
}