-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clients should not have the right to create new variables on the server #43
Comments
Hey Tom, We've added the clientWrite option which allows you to stop clients from writing to the server.
However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size |
Hi Eric, Thanks. Your last remark got my slightly confused though. I assume that you refuse a Regards, 2011/4/9 ericz <
|
Hey Tom, Yes that was regarding function calls. Variable changes rejections can be done at a lower level than what Thanks, On Sat, Apr 9, 2011 at 9:02 AM, tommedema
510-691-3951 |
Hello again, I looked at your multi room chat example: https://github.com/Flotype/now/blob/master/examples/multiroomchat_example/multiroomchat_server.jsMy For example, if the dev is to extend this example to include private rooms However, when clientWrite is set to false, this vulnerability does not exist Just thought you might want to raise this warning in the documentation, or You can ignore this though, as I personally do not mind since I will set Regards, 2011/4/9 ericz <
|
For a RIA to work, the server has to be aware of the variables of each client. Thus, the server should be the one instantiating the clients' variables of the magic synced pool.
Clients thus do not need the right to create new variables on the server. Also, the current implementation allows clients to create infinite amounts of variables causing memory problems on the server's side.
The text was updated successfully, but these errors were encountered: