search

AndrewBelt / hack.chat

a minimal, distraction-free chat application
https://hack.chat/
MIT License
2.39k stars 338 forks source link

Clients can spam server with invalid json #46

Closed WebFreak001 closed 9 years ago

WebFreak001 commented 9 years ago

If many users in the channel execute some code like this:

var x="";
for(var i=0;i<65534;i++) x+="[";
setInterval(function() { ws.send(x); }, 0);

It'll flood the server with error messages and try/catch isn't the fastest so if many people do it it could probably crash. Its missing POLICE.frisk

AndrewBelt commented 9 years ago

Good idea, I should have a frisk before parsing JSON that costs 1 to 0.1 points, instead of adding 1 to each command.

AndrewBelt commented 9 years ago

Fixed with 16d59e7f6e2a2da8f8a734000e78ee131f0b4a93