Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clients should not have the right to create new variables on the server #43

Closed
tommedema opened this issue Apr 9, 2011 · 4 comments
Closed

clients should not have the right to create new variables on the server #43

tommedema opened this issue Apr 9, 2011 · 4 comments

Comments

@tommedema
Copy link

For a RIA to work, the server has to be aware of the variables of each client. Thus, the server should be the one instantiating the clients' variables of the magic synced pool.

Clients thus do not need the right to create new variables on the server. Also, the current implementation allows clients to create infinite amounts of variables causing memory problems on the server's side.
@ericz
Copy link
Contributor

ericz commented Apr 9, 2011

Hey Tom,

We've added the clientWrite option which allows you to stop clients from writing to the server.

 nowjs.initialize(httpServer, {clientWrite: false});

However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size

@ericz ericz closed this as completed Apr 9, 2011
@tommedema
Copy link
Author

Hi Eric,

Thanks.

Your last remark got my slightly confused though. I assume that you refuse a
variable change on the server side before even looking at the given data,
right? What did you mean with the size validation or was that regarding
function calls?

Regards,
Tom

2011/4/9 ericz <
reply@reply.github.com>

Hey Tom,

We've added the clientWrite option which allows you to stop clients from
writing to the server.

nowjs.initialize(httpServer, {clientWrite: false});

However changes are rejected on the server side so it is important to make
sure that any type of data sent to the server is rejected if it surpasses a
certain size

Reply to this email directly or view it on GitHub:
#43 (comment)

@ericz
Copy link
Contributor

ericz commented Apr 9, 2011

Hey Tom,

Yes that was regarding function calls.

Variable changes rejections can be done at a lower level than what
we're doing now. It would be a more difficult implementation but the
gains are clear. I'll look into shipping that in the next version.

Thanks,
Eric

On Sat, Apr 9, 2011 at 9:02 AM, tommedema
reply@reply.github.com
wrote:

Hi Eric,

Thanks.

Your last remark got my slightly confused though. I assume that you refuse a
variable change on the server side before even looking at the given data,
right? What did you mean with the size validation or was that regarding
function calls?

Regards,
Tom

2011/4/9 ericz <
reply@reply.github.com>

Hey Tom,

We've added the clientWrite option which allows you to stop clients from
writing to the server.

    nowjs.initialize(httpServer, {clientWrite: false});

However changes are rejected on the server side so it is important to make
sure that any type of data sent to the server is rejected if it surpasses a
certain size

Reply to this email directly or view it on GitHub:
#43 (comment)

Reply to this email directly or view it on GitHub:
#43 (comment)

510-691-3951
EECS Student at UC Berkeley
http://ericzhang.com

@tommedema
Copy link
Author

Hello again,

I looked at your multi room chat example:
https://github.com/Flotype/now/blob/master/examples/multiroomchat_example/multiroomchat_server.js

https://github.com/Flotype/now/blob/master/examples/multiroomchat_example/multiroomchat_server.jsMy
concerns are that some developers probably do not realize that the client
can actually change their own room programatically, by changing now.room.

For example, if the dev is to extend this example to include private rooms
(1 to 1), a non-invited person could change his room to a private room and
enter that conversation.

However, when clientWrite is set to false, this vulnerability does not exist
because a call to setRoom("private1") will be rejected by the server as that
user is not authenticated for that specific private room.

Just thought you might want to raise this warning in the documentation, or
even set clientWrite to false by default.

You can ignore this though, as I personally do not mind since I will set
clientWrite to false, but I believe that this could otherwise cause some
developers to face unexpected problems.

Regards,
Tom

2011/4/9 ericz <
reply@reply.github.com>

Hey Tom,

Yes that was regarding function calls.

Variable changes rejections can be done at a lower level than what
we're doing now. It would be a more difficult implementation but the
gains are clear. I'll look into shipping that in the next version.

Thanks,
Eric

On Sat, Apr 9, 2011 at 9:02 AM, tommedema
reply@reply.github.com
wrote:

Hi Eric,

Thanks.

Your last remark got my slightly confused though. I assume that you
refuse a
variable change on the server side before even looking at the given data,
right? What did you mean with the size validation or was that regarding
function calls?

Regards,
Tom

2011/4/9 ericz <
reply@reply.github.com>

Hey Tom,

We've added the clientWrite option which allows you to stop clients from
writing to the server.

nowjs.initialize(httpServer, {clientWrite: false});

However changes are rejected on the server side so it is important to
make
sure that any type of data sent to the server is rejected if it
surpasses a
certain size

Reply to this email directly or view it on GitHub:
#43 (comment)

Reply to this email directly or view it on GitHub:
#43 (comment)

510-691-3951
EECS Student at UC Berkeley
http://ericzhang.com

Reply to this email directly or view it on GitHub:
#43 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericz @tommedema