From 86eeb3d8cfd51fb97db19e66105c82d83625ec03 Mon Sep 17 00:00:00 2001 From: Juliusz Chroboczek Date: Sun, 1 Dec 2024 21:40:50 +0100 Subject: [PATCH] Protect against sending a file to oneself. When a user sends a file to oneself (which is only possible as a chat command), then the two file transfer data structures have the same id, which causes confusion. We used to detect this case too late, detect it earlier. Thanks to J.-J. Sarton for the report. --- static/protocol.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/static/protocol.js b/static/protocol.js index 34bd912..6461ee2 100644 --- a/static/protocol.js +++ b/static/protocol.js @@ -2198,6 +2198,7 @@ ServerConnection.prototype.fileTransfer = function(id, username, message) { 'perhaps you need to upgrade your client ?'); return; } + let f = new TransferredFile( sc, id, message.id, false, username, message.name, message.mimetype, message.size, @@ -2205,6 +2206,15 @@ ServerConnection.prototype.fileTransfer = function(id, username, message) { f.version = version; f.state = 'inviting'; + let fid = f.fullid(); + if(fid in sc.transferredFiles) { + sendFileCancel(sc, id, message.id, + 'Duplicate file transfer id; ' + + 'perhaps you have tried to send a file to yourself?'); + return; + } + + try { if(sc.onfiletransfer) sc.onfiletransfer.call(sc, f); @@ -2217,16 +2227,6 @@ ServerConnection.prototype.fileTransfer = function(id, username, message) { return; } - let fid = f.fullid(); - if(fid in sc.transferredFiles) { - if(id === sc.id) { - f.cancel('cannot send file to self'); - } else { - console.error('Duplicate id for file transfer'); - f.cancel("duplicate id (this shouldn't happen)"); - } - return; - } sc.transferredFiles[fid] = f; break; }