From 95b8cfe4abce19275e9302c2d0150b096f609704 Mon Sep 17 00:00:00 2001
From: Scott Ostler <scottbot9000@gmail.com>
Date: Mon, 25 Oct 2010 19:11:36 -0400
Subject: Added super ghetto mgmt security

---
 src/site.clj | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

(limited to 'src/site.clj')

diff --git a/src/site.clj b/src/site.clj
index 68190d5..cd35419 100644
--- a/src/site.clj
+++ b/src/site.clj
@@ -783,10 +783,17 @@ WHERE  u.user_id = ANY(?)"
               (add-message (build-msg nick content msg-id) room))
 	     (resp-success msg-id)))))
 
-(defn validated-msg [session params]
-  (if (validate-room-access (params :room) session)
-    (msg session params)
-    (resp-error "UNKNOWN_ROOM")))
+
+(defn is-bad-mgmt? [params request]
+  (and (= (lower-case (params :room)) "mgmt")
+       (not
+        (= (lower-case (get (:headers request) "referer")) "http://dump.fm/mgmt/idontgetit"))))
+
+(defn validated-msg [session params request]
+  (cond
+   (not (validate-room-access (params :room) session)) (resp-error "UNKNOWN_ROOM")
+   (is-bad-mgmt? params request) (resp-error "INVALID")
+   :else (msg session params)))
 
 ;; Browser
 
@@ -1199,7 +1206,7 @@ WHERE  u.user_id = ANY(?)"
         (copy (:tempfile image) dest)
         [200 "OK"]))))
 
-(defn upload [session params]
+(defn upload [session params request]
   (let [room-key   (params :room)
         nick       (session :nick)
         user-id    (session :user_id)
@@ -1210,6 +1217,7 @@ WHERE  u.user_id = ANY(?)"
           (not image)      [200 "INVALID_REQUEST"]
           mute             [200 (format-mute mute)]
           (not has-access) [200 "UNKNOWN_ROOM"]
+          (is-bad-mgmt? params request) [200 "INVALID_REQUEST"]
           :else (do-upload session image (lookup-room room-key)))))
 
 (defn upload-photo [session params]
@@ -1257,7 +1265,7 @@ WHERE  u.user_id = ANY(?)"
 
 (def mgmt-pw "idontgetit")
 
-(defn mgmt [session url pw]
+(defn mgmt [session pw]
   (if (= (and pw (lower-case pw)) mgmt-pw)
     (validated-chat session "mgmt" "chat")
     (validated-chat session "mgmt")))
@@ -1344,8 +1352,8 @@ WHERE  u.user_id = ANY(?)"
   (GET "/test/hiscores/week" (hiscore-test session params "week"))
   (GET "/test/hiscores/month" (hiscore-test session params "month"))
   
-  (GET "/mgmt" (mgmt session request nil))
-  (GET "/mgmt/:pw" (mgmt session request (:pw params)))
+  (GET "/mgmt" (mgmt session nil))
+  (GET "/mgmt/:pw" (mgmt session (:pw params)))
 
   ;; Events
 ;  (GET "/event" (event-page session))
@@ -1356,7 +1364,7 @@ WHERE  u.user_id = ANY(?)"
   (GET "/fullscreen" (serve-meme session "fullscreen"))
 
   ;; TODO: add form tokens for all destructive actions
-  (POST "/msg" (validated-msg session params))
+  (POST "/msg" (validated-msg session params request))
   (POST "/submit-registration" (register session params request))
   (POST "/update-profile" (update-profile session params))
   (GET "/directory" (directory session 0))
@@ -1423,7 +1431,7 @@ WHERE  u.user_id = ANY(?)"
   (ANY "*" (unknown-page)))
 
 (defroutes multipart
-  (POST "/upload/message" (upload session params))
+  (POST "/upload/message" (upload session params request))
   (POST "/upload/photo" (upload-photo session params))
   (POST "/upload/avatar" (upload-avatar session params)))
 
-- 
cgit v1.2.3-70-g09d2