Page MenuHomeWildfire Games

Don't expose lobby nick change functionality to JS
AbandonedPublic

Authored by smiley on Sep 19 2018, 3:54 PM.

Details

Summary

Exactly what it says on the title.

Reasons for removing this:

  • Not used currently.
  • Anyone can do this with the console.
  • Would lead to impersonation and whatnot.
  • Anyone who need to legitimately /nick can still do it.

Notice that this just removed it's exposure to js. xmppclient can still do it.

Test Plan

Agree this could cause trouble if a troll finds it.

Diff Detail

Repository
rP 0 A.D. Public Repository
Branch
/ps/trunk
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 6369
Build 10558: Vulcan BuildJenkins
Build 10557: arc lint + arc unit

Event Timeline

smiley created this revision.Sep 19 2018, 3:54 PM
Vulcan added a subscriber: Vulcan.Sep 19 2018, 4:00 PM

Successful build - Chance fights ever on the side of the prudent.

Link to build: https://jenkins.wildfiregames.com/job/differential/735/display/redirect

smiley edited the summary of this revision. (Show Details)Sep 19 2018, 4:12 PM
smiley edited the summary of this revision. (Show Details)
smiley abandoned this revision.Nov 3 2018, 7:18 AM

Doesn't really fix anything.

elexis added a comment.Nov 3 2018, 8:46 AM

Notice this removes the JSInterface functions, but not the xmpp / glooxwrapper ones.
In theory it's correct to keep those functions, because an Xmpp client should implement Xmpp.
It would be better to change Xmpp itself to allow for such a policy change.
I was wondering if perhaps the client could display JIDs instead of nicks, but that in turn gives inconsistencies for pidgin / psi-plus users.
Perhaps it's just a case for the moderation bot to kick people who /nick.

smiley added a comment.Nov 3 2018, 2:55 PM

Either that or patch ejabberd which would in all likelihood end up being something regrettable in the long run. Closest thing in ejabberd is disabling visitor nick change.