USERINFO_UPDATE: construct a new message for broadcast

The server was reusing the client's message when broadcasting userinfo
updates. This would allow a malicious client to insert arbitrary fields
into a message that the other clients would trust as coming from the
server. For example, adding "disconnect" or renaming other authors.

This commit fixes it by having the server construct a new message with
known fields before broadcasting.

1 files changed, 18 insertions, 6 deletions

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index 10b259ae..28797a3a 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -415,22 +415,34 @@ function handleUserInfoUpdate(client, message)
   authorManager.setAuthorName(author, message.data.userInfo.name);
   
   var padId = sessioninfos[client.id].padId;
+
+  var infoMsg = {
+    type: "COLLABROOM",
+    data: {
+      // The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
+      type: "USER_NEWINFO",
+      userInfo: {
+        userId: author,
+        name: message.data.userInfo.name,
+        colorId: message.data.userInfo.colorId,
+        userAgent: "Anonymous",
+        ip: "127.0.0.1",
+      }
+    }
+  };
   
   //set a null name, when there is no name set. cause the client wants it null
-  if(message.data.userInfo.name == null)
+  if(infoMsg.data.userInfo.name == null)
   {
-    message.data.userInfo.name = null;
+    infoMsg.data.userInfo.name = null;
   }
   
-  //The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
-  message.data.type = "USER_NEWINFO";
-  
   //Send the other clients on the pad the update message
   for(var i in pad2sessions[padId])
   {
     if(pad2sessions[padId][i] != client.id)
     {
-      socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message);
+      socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
     }
   }
 }