plug up some websocket security holes
This commit is contained in:
parent
05a618a15f
commit
48c307778e
|
@ -24,6 +24,9 @@ def message(socket, data):
|
||||||
Gets called when the server receives a 'message' event.
|
Gets called when the server receives a 'message' event.
|
||||||
"""
|
"""
|
||||||
message = data.get('message')
|
message = data.get('message')
|
||||||
|
|
||||||
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
# cleaning
|
# cleaning
|
||||||
message = message[:512]
|
message = message[:512]
|
||||||
|
@ -153,12 +156,15 @@ def text_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
post_text = data.get('text')
|
post_text = data.get('text')
|
||||||
page_num = data.get('page_num')
|
page_num = data.get('page_num')
|
||||||
|
|
||||||
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
page = Page.objects.get(quest=quest, page_num=page_num)
|
page = Page.objects.get(quest=quest, page_num=page_num)
|
||||||
except Page.DoesNotExist:
|
except Page.DoesNotExist:
|
||||||
|
@ -207,8 +213,8 @@ def dice_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
page_num = data.get('page_num')
|
page_num = data.get('page_num')
|
||||||
try:
|
try:
|
||||||
|
@ -218,7 +224,8 @@ def dice_post(socket, data):
|
||||||
|
|
||||||
form = DiceCallForm(data)
|
form = DiceCallForm(data)
|
||||||
if not form.is_valid():
|
if not form.is_valid():
|
||||||
return # error message?
|
# TODO: error message event
|
||||||
|
return
|
||||||
form = form.cleaned_data
|
form = form.cleaned_data
|
||||||
|
|
||||||
posts = Post.objects.filter(
|
posts = Post.objects.filter(
|
||||||
|
@ -288,8 +295,8 @@ def poll_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
page_num = data.get('page_num')
|
page_num = data.get('page_num')
|
||||||
try:
|
try:
|
||||||
|
@ -358,12 +365,15 @@ def edit_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
post_id = data.get('post_id')
|
post_id = data.get('post_id')
|
||||||
post_text = data.get('post_text')
|
post_text = data.get('post_text')
|
||||||
|
|
||||||
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
p = Post.objects.get(id=post_id)
|
p = Post.objects.get(id=post_id)
|
||||||
except Post.DoesNotExist:
|
except Post.DoesNotExist:
|
||||||
|
@ -392,8 +402,8 @@ def close_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
post_id = data.get('post_id')
|
post_id = data.get('post_id')
|
||||||
try:
|
try:
|
||||||
|
@ -419,8 +429,8 @@ def open_post(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
post_id = data.get('post_id')
|
post_id = data.get('post_id')
|
||||||
try:
|
try:
|
||||||
|
@ -456,12 +466,15 @@ def new_page(socket, data):
|
||||||
"""
|
"""
|
||||||
quest = Quest.objects.get(id=socket.quest_id)
|
quest = Quest.objects.get(id=socket.quest_id)
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
if quest.owner != user:
|
if quest.owner != user: # 401 not allowed
|
||||||
return # error message?
|
return
|
||||||
|
|
||||||
title = data.get('page_title')
|
title = data.get('page_title')
|
||||||
appendix = bool(data.get('appendix'))
|
appendix = bool(data.get('appendix'))
|
||||||
|
|
||||||
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
if appendix:
|
if appendix:
|
||||||
page = Page.objects.filter(
|
page = Page.objects.filter(
|
||||||
quest=quest,
|
quest=quest,
|
||||||
|
@ -521,23 +534,33 @@ def vote(socket, data):
|
||||||
ip_address = socket.scope['client'][0]
|
ip_address = socket.scope['client'][0]
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
|
|
||||||
if polarity == False:
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
|
try:
|
||||||
|
p = Poll.objects.get(post_id=post_id)
|
||||||
|
except Poll.DoesNotExist:
|
||||||
|
return
|
||||||
|
|
||||||
|
if not p.open:
|
||||||
|
return
|
||||||
|
|
||||||
|
if polarity == False: # player removes his vote
|
||||||
try:
|
try:
|
||||||
v = PollVote.objects.get(
|
pv = PollVote.objects.get(
|
||||||
ip_address=ip_address,
|
ip_address=ip_address,
|
||||||
option__id=option_id
|
option__id=option_id
|
||||||
)
|
)
|
||||||
except PollVote.DoesNotExist:
|
except PollVote.DoesNotExist:
|
||||||
return
|
return
|
||||||
v.delete()
|
pv.delete()
|
||||||
else:
|
else: # player makes a new vote
|
||||||
try:
|
try:
|
||||||
p = Poll.objects.get(post_id=post_id)
|
|
||||||
option = PollOption.objects.get(id=option_id)
|
option = PollOption.objects.get(id=option_id)
|
||||||
except (Poll.DoesNotExist, PollOption.DoesNotExist):
|
except PollOption.DoesNotExist:
|
||||||
return
|
return
|
||||||
pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
|
pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
|
||||||
if pvs.count() != 0:
|
if pvs.count() != 0: # if player has voted for this option already
|
||||||
return
|
return
|
||||||
|
|
||||||
if p.multi_choice == False:
|
if p.multi_choice == False:
|
||||||
|
@ -572,20 +595,26 @@ def write_in(socket, data):
|
||||||
Called when a player creates a new write-in.
|
Called when a player creates a new write-in.
|
||||||
"""
|
"""
|
||||||
post_id = data.get('post_id')
|
post_id = data.get('post_id')
|
||||||
option_text = data.get('option_text', '')
|
option_text = data.get('option_text')
|
||||||
user = socket.scope['user']
|
user = socket.scope['user']
|
||||||
|
|
||||||
|
if not all(locals().values()):
|
||||||
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
p = Poll.objects.get(post_id=post_id)
|
p = Poll.objects.get(post_id=post_id)
|
||||||
except Poll.DoesNotExist:
|
except Poll.DoesNotExist:
|
||||||
return
|
return
|
||||||
|
|
||||||
|
if not p.allow_writein:
|
||||||
|
return
|
||||||
|
|
||||||
option_text = option_text.strip()
|
option_text = option_text.strip()
|
||||||
if not option_text:
|
if not option_text:
|
||||||
return
|
return
|
||||||
option_text = "Write-in: " + bleach.clean(option_text)
|
option_text = "Write-in: " + bleach.clean(option_text)
|
||||||
if len(option_text) > 200:
|
if len(option_text) > 200:
|
||||||
# error message?
|
# TODO: error message event
|
||||||
return
|
return
|
||||||
o = PollOption(
|
o = PollOption(
|
||||||
poll=p,
|
poll=p,
|
||||||
|
|
|
@ -187,7 +187,7 @@ function submitWritein(post_id) {
|
||||||
let option_text = writeinInput.value;
|
let option_text = writeinInput.value;
|
||||||
writeinInput.value = '';
|
writeinInput.value = '';
|
||||||
if (!option_text) { return; }
|
if (!option_text) { return; }
|
||||||
socket.send('write_in', {option_text: option_text, post_id: post_id});
|
socket.send('write_in', {post_id: post_id, option_text: option_text});
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Helpers */
|
/* Helpers */
|
||||||
|
|
Loading…
Reference in New Issue
Block a user