From ed531cefc2f710ef5911545fda39c8b729182b92 Mon Sep 17 00:00:00 2001
From: Juliusz Chroboczek <jch@irif.fr>
Date: Mon, 30 Nov 2020 15:39:44 +0100
Subject: [PATCH] More spoofing protection.

---
 rtpconn/webclient.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/rtpconn/webclient.go b/rtpconn/webclient.go
index a57976c..a001925 100644
--- a/rtpconn/webclient.go
+++ b/rtpconn/webclient.go
@@ -1114,6 +1114,12 @@ func handleClientMessage(c *webClient, m clientMessage) error {
 			ccc.write(mm)
 		}
 	case "groupaction":
+		if m.Id != c.id {
+			return group.UserError("wrong sender id")
+		}
+		if m.Username != "" && m.Username != c.username {
+			return group.UserError("wrong sender username")
+		}
 		switch m.Kind {
 		case "clearchat":
 			c.group.ClearChatHistory()
@@ -1162,6 +1168,12 @@ func handleClientMessage(c *webClient, m clientMessage) error {
 			return group.ProtocolError("unknown group action")
 		}
 	case "useraction":
+		if m.Id != c.id {
+			return group.UserError("wrong sender id")
+		}
+		if m.Username != "" && m.Username != c.username {
+			return group.UserError("wrong sender username")
+		}
 		switch m.Kind {
 		case "op", "unop", "present", "unpresent":
 			if !c.permissions.Op {