plug up some websocket security holes

This commit is contained in:
iou1name 2019-04-15 08:28:16 -04:00
parent 05a618a15f
commit 48c307778e
3 changed files with 54 additions and 26 deletions

View File

@ -24,6 +24,9 @@ def message(socket, data):
Gets called when the server receives a 'message' event.
"""
message = data.get('message')
if not all(locals().values()):
return
# cleaning
message = message[:512]
@ -153,12 +156,15 @@ def text_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
post_text = data.get('text')
page_num = data.get('page_num')
if not all(locals().values()):
return
try:
page = Page.objects.get(quest=quest, page_num=page_num)
except Page.DoesNotExist:
@ -207,8 +213,8 @@ def dice_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
page_num = data.get('page_num')
try:
@ -218,7 +224,8 @@ def dice_post(socket, data):
form = DiceCallForm(data)
if not form.is_valid():
return # error message?
# TODO: error message event
return
form = form.cleaned_data
posts = Post.objects.filter(
@ -288,8 +295,8 @@ def poll_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
page_num = data.get('page_num')
try:
@ -358,12 +365,15 @@ def edit_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
post_id = data.get('post_id')
post_text = data.get('post_text')
if not all(locals().values()):
return
try:
p = Post.objects.get(id=post_id)
except Post.DoesNotExist:
@ -392,8 +402,8 @@ def close_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
post_id = data.get('post_id')
try:
@ -419,8 +429,8 @@ def open_post(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
post_id = data.get('post_id')
try:
@ -456,12 +466,15 @@ def new_page(socket, data):
"""
quest = Quest.objects.get(id=socket.quest_id)
user = socket.scope['user']
if quest.owner != user:
return # error message?
if quest.owner != user: # 401 not allowed
return
title = data.get('page_title')
appendix = bool(data.get('appendix'))
if not all(locals().values()):
return
if appendix:
page = Page.objects.filter(
quest=quest,
@ -521,23 +534,33 @@ def vote(socket, data):
ip_address = socket.scope['client'][0]
user = socket.scope['user']
if polarity == False:
if not all(locals().values()):
return
try:
p = Poll.objects.get(post_id=post_id)
except Poll.DoesNotExist:
return
if not p.open:
return
if polarity == False: # player removes his vote
try:
v = PollVote.objects.get(
pv = PollVote.objects.get(
ip_address=ip_address,
option__id=option_id
)
except PollVote.DoesNotExist:
return
v.delete()
else:
pv.delete()
else: # player makes a new vote
try:
p = Poll.objects.get(post_id=post_id)
option = PollOption.objects.get(id=option_id)
except (Poll.DoesNotExist, PollOption.DoesNotExist):
except PollOption.DoesNotExist:
return
pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
if pvs.count() != 0:
if pvs.count() != 0: # if player has voted for this option already
return
if p.multi_choice == False:
@ -572,20 +595,26 @@ def write_in(socket, data):
Called when a player creates a new write-in.
"""
post_id = data.get('post_id')
option_text = data.get('option_text', '')
option_text = data.get('option_text')
user = socket.scope['user']
if not all(locals().values()):
return
try:
p = Poll.objects.get(post_id=post_id)
except Poll.DoesNotExist:
return
if not p.allow_writein:
return
option_text = option_text.strip()
if not option_text:
return
option_text = "Write-in: " + bleach.clean(option_text)
if len(option_text) > 200:
# error message?
# TODO: error message event
return
o = PollOption(
poll=p,

View File

@ -187,7 +187,7 @@ function submitWritein(post_id) {
let option_text = writeinInput.value;
writeinInput.value = '';
if (!option_text) { return; }
socket.send('write_in', {option_text: option_text, post_id: post_id});
socket.send('write_in', {post_id: post_id, option_text: option_text});
}
/* Helpers */

1
todo
View File

@ -4,7 +4,6 @@ Webm posting
(you) counter
Account managament
Quote backlinks
Email
RSS
Improvements: