Security fix : don't broadcast messages to unauthenticated clients

2024-08-30 18:12:16 +00:00 · 2016-11-27 17:40:57 +01:00 · 2016-11-27 17:40:57 +01:00 · 554ab54690
commit 554ab54690
parent 5abcd18ba0
3 changed files with 13 additions and 1 deletions
--- a/WSRequestHandler.cpp
+++ b/WSRequestHandler.cpp
@ -104,6 +104,10 @@ void WSRequestHandler::sendTextMessage(QString textMessage) {
 	_client->sendTextMessage(textMessage);
 }
 bool WSRequestHandler::isAuthenticated() {
 	return _authenticated;
 }
 WSRequestHandler::~WSRequestHandler() {
 	if (_requestData != NULL) {
 		obs_data_release(_requestData);
@ -140,7 +144,7 @@ void WSRequestHandler::HandleGetVersion(WSRequestHandler *owner) {
 	obs_data_set_double(data, "version", 1.1);
 	obs_data_set_string(data, "obs-websocket-version", OBS_WEBSOCKET_VERSION);
 	//obs_data_set_string(data, "obs-studio-version", OBS_VERSION); // Wrong
-	
+
 	owner->SendOKResponse(data);
 	obs_data_release(data);
--- a/WSRequestHandler.h
+++ b/WSRequestHandler.h
@ -32,6 +32,7 @@ class WSRequestHandler : public QObject
 		explicit WSRequestHandler(QWebSocket *client);
 		~WSRequestHandler();
 		void sendTextMessage(QString textMessage);
 		bool isAuthenticated();
 	private Q_SLOTS:
 		void processTextMessage(QString textMessage);
--- a/WSServer.cpp
+++ b/WSServer.cpp
@ -18,6 +18,7 @@ with this program. If not, see <https://www.gnu.org/licenses/>
 #include "WSServer.h"
 #include "WSRequestHandler.h"
 #include "Config.h"
 #include <QtWebSockets/QWebSocketServer>
 #include <QtWebSockets/QWebSocket>
 #include <QtCore/QDebug>
@ -54,6 +55,12 @@ WSServer::~WSServer()
 void WSServer::broadcast(QString message)
 {
 	Q_FOREACH(WSRequestHandler *pClient, _clients) {
 		if (Config::Current()->AuthRequired == true 
 			&& pClient->isAuthenticated() == false) {
 			// Skip this client if unauthenticated
 			continue;
 		}
 		pClient->sendTextMessage(message);
 	}
 }