From 1e1cd7ce0aa362a0a2a20a764145035be911673d Mon Sep 17 00:00:00 2001 From: Tom Smeding Date: Sat, 27 Feb 2021 17:39:46 +0100 Subject: server: Restrict is_online to only query users you know about --- command.c | 15 ++++++++++----- db.c | 18 ++++++++++++++++++ db.h | 1 + 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/command.c b/command.c index ac6ff09..d84c456 100644 --- a/command.c +++ b/command.c @@ -542,14 +542,19 @@ static struct cmd_retval cmd_ping(struct conn_data *data,const char *tag,const c } static struct cmd_retval cmd_is_online(struct conn_data *data,const char *tag,const char **args){ - i64 userid=db_find_user(args[0]); - if(userid==-1){ - net_send_error(data->fd,tag,"User not found"); + if (data->userid == -1) { + net_send_error(data->fd, tag, "Not logged in"); + return RET_OK; + } + + i64 userid2 = db_find_user(args[0]); + if (userid2 == -1 || !db_user_knows_user(data->userid, userid2)) { + net_send_error(data->fd, tag, "User not found"); return RET_OK; } i64 nfds; - (void)userdata_online(userid,&nfds); - return RET_CLOSE(net_send_number(data->fd,tag,nfds)); + (void)userdata_online(userid2, &nfds); + return RET_CLOSE(net_send_number(data->fd, tag, nfds)); } static struct cmd_retval cmd_firebase_token(struct conn_data *data,const char *tag,const char **args){ diff --git a/db.c b/db.c index a349b44..e2dd6f1 100644 --- a/db.c +++ b/db.c @@ -453,6 +453,24 @@ bool db_delete_token(i64 userid,const char *token){ return success; } +bool db_user_knows_user(i64 userid1, i64 userid2) { + assert(userid1 != -1 && userid2 != -1); + static sqlite3_stmt *stmt = NULL; + if (!stmt) { + SQLITE(prepare_v2, database, + "select count(*) > 0 " + "from Members as A, Members as B " + "where A.room = B.room and A.user = ? and B.user = ?" + ,-1, &stmt, NULL); + } + SQLITE(bind_int64, stmt, 1, userid1); + SQLITE(bind_int64, stmt, 2, userid2); + assert(sqlite3_step(stmt) == SQLITE_ROW); + bool found = sqlite3_column_int(stmt, 0) == 1; + reset_stmt(stmt); + return found; +} + i64 db_create_message(i64 roomid,i64 userid,i64 timestamp,i64 replyid,const char *message){ static sqlite3_stmt *stmt = NULL; diff --git a/db.h b/db.h index 73d275a..8c545ad 100644 --- a/db.h +++ b/db.h @@ -59,6 +59,7 @@ i64 db_find_user(const char *name); // -1 if not found struct db_strings_list db_user_tokens(i64 userid); bool db_add_token(i64 userid,const char *token); bool db_delete_token(i64 userid,const char *token); +bool db_user_knows_user(i64 userid1,i64 userid2); // both users have a common room i64 db_create_message(i64 roomid,i64 userid,i64 timestamp,i64 replyid,const char *message); // returns msgid struct db_message_list db_get_messages(i64 roomid,i64 count); // gets latest `count` messages in rev. chron. order -- cgit v1.2.3-70-g09d2