Security fix : don't broadcast messages to unauthenticated clients

This commit is contained in:
Stéphane Lepin 2016-11-27 17:40:57 +01:00
parent 5abcd18ba0
commit 554ab54690
3 changed files with 13 additions and 1 deletions

View File

@ -104,6 +104,10 @@ void WSRequestHandler::sendTextMessage(QString textMessage) {
_client->sendTextMessage(textMessage);
}
bool WSRequestHandler::isAuthenticated() {
return _authenticated;
}
WSRequestHandler::~WSRequestHandler() {
if (_requestData != NULL) {
obs_data_release(_requestData);
@ -140,7 +144,7 @@ void WSRequestHandler::HandleGetVersion(WSRequestHandler *owner) {
obs_data_set_double(data, "version", 1.1);
obs_data_set_string(data, "obs-websocket-version", OBS_WEBSOCKET_VERSION);
//obs_data_set_string(data, "obs-studio-version", OBS_VERSION); // Wrong
owner->SendOKResponse(data);
obs_data_release(data);

View File

@ -32,6 +32,7 @@ class WSRequestHandler : public QObject
explicit WSRequestHandler(QWebSocket *client);
~WSRequestHandler();
void sendTextMessage(QString textMessage);
bool isAuthenticated();
private Q_SLOTS:
void processTextMessage(QString textMessage);

View File

@ -18,6 +18,7 @@ with this program. If not, see <https://www.gnu.org/licenses/>
#include "WSServer.h"
#include "WSRequestHandler.h"
#include "Config.h"
#include <QtWebSockets/QWebSocketServer>
#include <QtWebSockets/QWebSocket>
#include <QtCore/QDebug>
@ -54,6 +55,12 @@ WSServer::~WSServer()
void WSServer::broadcast(QString message)
{
Q_FOREACH(WSRequestHandler *pClient, _clients) {
if (Config::Current()->AuthRequired == true
&& pClient->isAuthenticated() == false) {
// Skip this client if unauthenticated
continue;
}
pClient->sendTextMessage(message);
}
}