moon
/
sync
mirror of https://github.com/calzoneman/sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix another instance where #335 could be exposed

This commit is contained in:
calzoneman 2014-03-20 09:18:54 -05:00
parent a6434ec47f
commit 7134de4de5
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/channel.js
View File

@ -1542,7 +1542,7 @@ Channel.prototype.handleQueue = function (user, data) {
if (data.pos === "next" && !this.hasPermission(user, "playlistnext")) { if (data.pos === "next" && !this.hasPermission(user, "playlistnext")) {
return; return;
} }
var pos = data.pos || "end"; var pos = data.pos;
// Verify user has permission to add a YouTube playlist, if relevant // Verify user has permission to add a YouTube playlist, if relevant
if (data.type === "yp" && !this.hasPermission(user, "playlistaddlist")) { if (data.type === "yp" && !this.hasPermission(user, "playlistaddlist")) {
@ -1822,10 +1822,19 @@ Channel.prototype.handleQueuePlaylist = function (user, data) {
} }
var name = data.name; var name = data.name;
/* Kick for this because there's no legitimate way to do this with the
UI. Can only be accomplished by manually sending a packet and people
abuse it to bypass the addnext permission
*/
if (data.pos !== "next" && data.pos !== "end") {
user.kick("Illegal queue packet: pos must be 'next' or 'end'");
return;
}
if (data.pos === "next" && !self.hasPermission(user, "playlistnext")) { if (data.pos === "next" && !self.hasPermission(user, "playlistnext")) {
return; return;
} }
var pos = data.pos || "end"; var pos = data.pos;
var temp = data.temp || !self.hasPermission(user, "addnontemp"); var temp = data.temp || !self.hasPermission(user, "addnontemp");