Improvements on user validation

yaohuimo · Mar 6, 2016 · ef97e94 · ef97e94
1 parent d840aa4
commit ef97e94
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/src/pkg/config/config.go b/src/pkg/config/config.go
@@ -15,6 +15,7 @@ import (
 	"io"
 	"net"
 	"sort"
+	"strings"
 	"sync"
 )
 
@@ -65,6 +66,7 @@ type RoomUser struct {
 	ignoreList []string
 	kickout    bool
 	conn       net.Conn
+	addr       string
 }
 
 // RoomConfig represents in memory a defined room loaded from a cherry file.
@@ -149,7 +151,7 @@ func (c *CherryRooms) AddUser(roomName, nickname, color string, kickout bool) {
 	md := md5.New()
 	io.WriteString(md, roomName+nickname+color)
 	id := fmt.Sprintf("%x", md.Sum(nil))
-	c.configs[roomName].users[nickname] = &RoomUser{id, color, make([]string, 0), kickout, nil}
+	c.configs[roomName].users[nickname] = &RoomUser{id, color, make([]string, 0), kickout, nil, ""}
 	c.configs[roomName].mutex.Unlock()
 }
 
@@ -722,10 +724,19 @@ func (c *CherryRooms) HasUser(roomName, user string) bool {
 }
 
 // IsValidUserRequest verifies if the session ID really matches with the previously defined.
-func (c *CherryRooms) IsValidUserRequest(roomName, user, id string) bool {
+func (c *CherryRooms) IsValidUserRequest(roomName, user, id string, userConn net.Conn) bool {
 	var valid = false
 	if c.HasUser(roomName, user) {
 		valid = (id == c.GetSessionID(user, roomName))
+		if valid {
+			c.Lock(roomName)
+			userAddr := strings.Split(userConn.RemoteAddr().String(), ":")
+			realAddr := c.configs[roomName].users[user].addr
+			c.Unlock(roomName)
+			if len(userAddr) > 0 && len(realAddr) > 0 {
+				valid = (realAddr == userAddr[0])
+			}
+		}
 	}
 	return valid
 }
@@ -766,6 +777,10 @@ func (c *CherryRooms) GetDeIgnoreAction(roomName string) string {
 func (c *CherryRooms) SetUserConnection(roomName, user string, conn net.Conn) {
 	c.Lock(roomName)
 	c.configs[roomName].users[user].conn = conn
+	remoteAddr := strings.Split(conn.RemoteAddr().String(), ":")
+	if len(remoteAddr) > 0 {
+		c.configs[roomName].users[user].addr = remoteAddr[0]
+	}
 	c.Unlock(roomName)
 }
 

diff --git a/src/pkg/reqtraps/reqtraps.go b/src/pkg/reqtraps/reqtraps.go
@@ -142,7 +142,7 @@ func GetTopHandle(newConn net.Conn, roomName, httpPayload string, rooms *config.
 	var userData map[string]string
 	userData = rawhttp.GetFieldsFromGet(httpPayload)
 	var replyBuffer []byte
-	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"]) {
+	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"], newConn) {
 		replyBuffer = rawhttp.MakeReplyBuffer(html.GetBadAssErrorData(), 404, true)
 	} else {
 		replyBuffer = rawhttp.MakeReplyBuffer(preprocessor.ExpandData(roomName, rooms.GetTopTemplate(roomName)), 200, true)
@@ -158,7 +158,7 @@ func GetBannerHandle(newConn net.Conn, roomName, httpPayload string, rooms *conf
 	userData = rawhttp.GetFieldsFromGet(httpPayload)
 	preprocessor.SetDataValue("{{.nickname}}", userData["user"])
 	preprocessor.SetDataValue("{{.session-id}}", userData["id"])
-	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"]) {
+	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"], newConn) {
 		replyBuffer = rawhttp.MakeReplyBuffer(html.GetBadAssErrorData(), 404, true)
 	} else {
 		replyBuffer = rawhttp.MakeReplyBuffer(preprocessor.ExpandData(roomName, rooms.GetBannerTemplate(roomName)), 200, true)
@@ -172,7 +172,7 @@ func GetExitHandle(newConn net.Conn, roomName, httpPayload string, rooms *config
 	var userData map[string]string
 	var replyBuffer []byte
 	userData = rawhttp.GetFieldsFromGet(httpPayload)
-	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"]) {
+	if !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"], newConn) {
 		replyBuffer = rawhttp.MakeReplyBuffer(html.GetBadAssErrorData(), 404, true)
 	} else {
 		preprocessor.SetDataValue("{{.nickname}}", userData["user"])
@@ -232,7 +232,7 @@ func GetBodyHandle(newConn net.Conn, roomName, httpPayload string, rooms *config
 	var userData map[string]string
 	userData = rawhttp.GetFieldsFromGet(httpPayload)
 	var validUser bool
-	validUser = rooms.IsValidUserRequest(roomName, userData["user"], userData["id"])
+	validUser = rooms.IsValidUserRequest(roomName, userData["user"], userData["id"], newConn)
 	var replyBuffer []byte
 	if !validUser {
 		replyBuffer = rawhttp.MakeReplyBuffer(html.GetBadAssErrorData(), 404, true)
@@ -273,7 +273,7 @@ func PostBannerHandle(newConn net.Conn, roomName, httpPayload string, rooms *con
 		invalidRequest = true
 	}
 	var restoreBanner = true
-	if invalidRequest || !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"]) {
+	if invalidRequest || !rooms.IsValidUserRequest(roomName, userData["user"], userData["id"], newConn) {
 		replyBuffer = rawhttp.MakeReplyBuffer(html.GetBadAssErrorData(), 404, true)
 	} else if userData["action"] == rooms.GetIgnoreAction(roomName) {
 		if userData["user"] != userData["whoto"] && !rooms.IsIgnored(userData["user"], userData["whoto"], roomName) {