From 74b3683cf165f783dc1b600af618ab8bb4c905e3 Mon Sep 17 00:00:00 2001
From: Juliusz Chroboczek <jch@irif.fr>
Date: Mon, 30 Nov 2020 15:22:00 +0100
Subject: [PATCH] Protect against chat message spoofing.

---
 rtpconn/webclient.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rtpconn/webclient.go b/rtpconn/webclient.go
index 0222b1f..a57976c 100644
--- a/rtpconn/webclient.go
+++ b/rtpconn/webclient.go
@@ -1069,6 +1069,13 @@ func handleClientMessage(c *webClient, m clientMessage) error {
 			log.Printf("ICE: %v", err)
 		}
 	case "chat", "usermessage":
+		if m.Id != c.id {
+			return group.UserError("wrong sender id")
+		}
+		if m.Username != "" && m.Username != c.username {
+			return group.UserError("wrong sender username")
+		}
+
 		tm := group.ToJSTime(time.Now())
 		if m.Type == "chat" {
 			if m.Dest == "" {