From 7134de4de58d86b5f0bc61bf205cc8de291ec709 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Thu, 20 Mar 2014 09:18:54 -0500 Subject: [PATCH] Fix another instance where #335 could be exposed --- lib/channel.js | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/channel.js b/lib/channel.js index bf3d1324..dad928f6 100644 --- a/lib/channel.js +++ b/lib/channel.js @@ -1542,7 +1542,7 @@ Channel.prototype.handleQueue = function (user, data) { if (data.pos === "next" && !this.hasPermission(user, "playlistnext")) { return; } - var pos = data.pos || "end"; + var pos = data.pos; // Verify user has permission to add a YouTube playlist, if relevant if (data.type === "yp" && !this.hasPermission(user, "playlistaddlist")) { @@ -1822,10 +1822,19 @@ Channel.prototype.handleQueuePlaylist = function (user, data) { } var name = data.name; + /* Kick for this because there's no legitimate way to do this with the + UI. Can only be accomplished by manually sending a packet and people + abuse it to bypass the addnext permission + */ + if (data.pos !== "next" && data.pos !== "end") { + user.kick("Illegal queue packet: pos must be 'next' or 'end'"); + return; + } + if (data.pos === "next" && !self.hasPermission(user, "playlistnext")) { return; } - var pos = data.pos || "end"; + var pos = data.pos; var temp = data.temp || !self.hasPermission(user, "addnontemp");