Merge pull request #896 from thecodingmachine/fixXss
FIX: calling emitPlayGlobalMessage in pusher without the admin tag will throw an error
This commit is contained in:
commit
71898bff7d
@ -510,19 +510,6 @@ export class SocketManager {
|
|||||||
return this.rooms;
|
return this.rooms;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
*
|
|
||||||
* @param token
|
|
||||||
*/
|
|
||||||
/*searchClientByUuid(uuid: string): ExSocketInterface | null {
|
|
||||||
for(const socket of this.sockets.values()){
|
|
||||||
if(socket.userUuid === uuid){
|
|
||||||
return socket;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}*/
|
|
||||||
|
|
||||||
|
|
||||||
public handleQueryJitsiJwtMessage(user: User, queryJitsiJwtMessage: QueryJitsiJwtMessage) {
|
public handleQueryJitsiJwtMessage(user: User, queryJitsiJwtMessage: QueryJitsiJwtMessage) {
|
||||||
const room = queryJitsiJwtMessage.getJitsiroom();
|
const room = queryJitsiJwtMessage.getJitsiroom();
|
||||||
|
@ -364,6 +364,10 @@ export class SocketManager implements ZoneEventListener {
|
|||||||
}
|
}
|
||||||
|
|
||||||
emitPlayGlobalMessage(client: ExSocketInterface, playglobalmessage: PlayGlobalMessage) {
|
emitPlayGlobalMessage(client: ExSocketInterface, playglobalmessage: PlayGlobalMessage) {
|
||||||
|
if (!client.tags.includes('admin')) {
|
||||||
|
//In case of xss injection, we just kill the connection.
|
||||||
|
throw 'Client is not an admin!';
|
||||||
|
}
|
||||||
const pusherToBackMessage = new PusherToBackMessage();
|
const pusherToBackMessage = new PusherToBackMessage();
|
||||||
pusherToBackMessage.setPlayglobalmessage(playglobalmessage);
|
pusherToBackMessage.setPlayglobalmessage(playglobalmessage);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user