Merge pull request #896 from thecodingmachine/fixXss

FIX: calling emitPlayGlobalMessage in pusher without the admin tag will throw an error
This commit is contained in:
Kharhamel 2021-04-14 12:21:04 +02:00 committed by GitHub
commit 71898bff7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 13 deletions

View File

@ -510,19 +510,6 @@ export class SocketManager {
return this.rooms; return this.rooms;
} }
/**
*
* @param token
*/
/*searchClientByUuid(uuid: string): ExSocketInterface | null {
for(const socket of this.sockets.values()){
if(socket.userUuid === uuid){
return socket;
}
}
return null;
}*/
public handleQueryJitsiJwtMessage(user: User, queryJitsiJwtMessage: QueryJitsiJwtMessage) { public handleQueryJitsiJwtMessage(user: User, queryJitsiJwtMessage: QueryJitsiJwtMessage) {
const room = queryJitsiJwtMessage.getJitsiroom(); const room = queryJitsiJwtMessage.getJitsiroom();

View File

@ -364,6 +364,10 @@ export class SocketManager implements ZoneEventListener {
} }
emitPlayGlobalMessage(client: ExSocketInterface, playglobalmessage: PlayGlobalMessage) { emitPlayGlobalMessage(client: ExSocketInterface, playglobalmessage: PlayGlobalMessage) {
if (!client.tags.includes('admin')) {
//In case of xss injection, we just kill the connection.
throw 'Client is not an admin!';
}
const pusherToBackMessage = new PusherToBackMessage(); const pusherToBackMessage = new PusherToBackMessage();
pusherToBackMessage.setPlayglobalmessage(playglobalmessage); pusherToBackMessage.setPlayglobalmessage(playglobalmessage);