mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-05-05 14:47:12 -04:00
b80a37173e
Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels. |
||
|---|---|---|
| .. | ||
| admin.js | ||
| adminplugins.js | ||
| adminsettings.js | ||
| apicalls.js | ||
| errorhandling.js | ||
| importexport.js | ||
| isValidJSONPName.js | ||
| openapi.js | ||
| padreadonly.js | ||
| padurlsanitize.js | ||
| socketio.js | ||
| specialpages.js | ||
| static.js | ||
| tests.js | ||
| webaccess.js | ||