You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have the dynmap web server run on lighttpd in order to get the SSL support. Everything is internal.
My dynmap class configuration is made so: (omitted irrelevant portions)
- class: org.dynmap.JsonFileClientUpdateComponent
writeinterval: 1
allowwebchat: true
webchat-interval: 0
hidewebchatip: true
use-player-login-ip: false
require-player-login-ip: false
block-banned-player-chat: true
# Require login for web-to-server chat (requires login-enabled: true)
webchat-requires-login: true
# If set to true, users must have dynmap.webchat permission in order to chat
webchat-permissions: true
# Limit length of single chat messages
chatlengthlimit: 256
hidenames: false
I assumed setting webchat-requires-login to true requires users to be logged on, and the dynmap uses browser session name to match the username with the messages. However, when I tried making a POST request to standalone/sendmessage.php manually on a different browser, it displayed "web-###" as the sender. I expected to get an error for trying to send a message while not logged in and/or no message output at all.
The text was updated successfully, but these errors were encountered:
chuushi
changed the title
Separate web server allows anyone to use webchat without logging in
Separate web server allows anyone to POST to sendmessage.php without logging in
Apr 15, 2016
I have the dynmap web server run on lighttpd in order to get the SSL support. Everything is internal.
My dynmap class configuration is made so: (omitted irrelevant portions)
I assumed setting
webchat-requires-login
to true requires users to be logged on, and the dynmap uses browser session name to match the username with the messages. However, when I tried making a POST request tostandalone/sendmessage.php
manually on a different browser, it displayed "web-###" as the sender. I expected to get an error for trying to send a message while not logged in and/or no message output at all.The text was updated successfully, but these errors were encountered: