Client can crash the server
robbi5 opened this issue · comments
The client can simply crash the server when it sends a message to the /meta/onMessage channel.
pushIt.sendMessage({"channel": "/meta/onMessage"});
Bug is in push-it-proto.js, line 50 (https://github.com/aaronblohowiak/Push-It/blob/827c704/server/etc/push-it-proto.js#L50). There should be a check for allowed methods like connect and subscribe.
Good catch, I will add a test and a fix later tonight.
cff45b2 Adds test & fix.
Sorry, but this doesn't fix the Crash. Clients can still call pushIt.sendMessage({"channel": "/meta/onMessage"});
and the server crashes, because it is stuck in an endless loop of calling onMessage (which calls onMessage on line 52). I think you should use a blacklist for channel-names here. I can provide a testpage for this, if you want.
Okay, I whitelisted connect and subscribe as they are the only /meta/ operations going on and the dynamic dispatch code was more confusing. The latest commit should have fixed all of these issues.
Thanks for the feedback.
- Aaron
Great, thanks for your fast bugfix :)