Closed tommedema closed 13 years ago
ericz
commented
13 years ago Hey Tom,
We've added the clientWrite option which allows you to stop clients from writing to the server.
nowjs.initialize(httpServer, {clientWrite: false});However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size
tommedema
commented
13 years ago Hi Eric,
Thanks.
Your last remark got my slightly confused though. I assume that you refuse a variable change on the server side before even looking at the given data, right? What did you mean with the size validation or was that regarding function calls?
Regards, Tom
2011/4/9 ericz < reply@reply.github.com>
Hey Tom,
We've added the clientWrite option which allows you to stop clients from writing to the server.
nowjs.initialize(httpServer, {clientWrite: false});However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977420
ericz
commented
13 years ago Hey Tom,
Yes that was regarding function calls.
Variable changes rejections can be done at a lower level than what we're doing now. It would be a more difficult implementation but the gains are clear. I'll look into shipping that in the next version.
Thanks, Eric
On Sat, Apr 9, 2011 at 9:02 AM, tommedema reply@reply.github.com wrote:
Hi Eric,
Thanks.
Your last remark got my slightly confused though. I assume that you refuse a variable change on the server side before even looking at the given data, right? What did you mean with the size validation or was that regarding function calls?
Regards, Tom
2011/4/9 ericz < reply@reply.github.com>
Hey Tom,
We've added the clientWrite option which allows you to stop clients from writing to the server.
nowjs.initialize(httpServer, {clientWrite: false});
However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977420
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977548
510-691-3951 EECS Student at UC Berkeley http://ericzhang.com
tommedema
commented
13 years ago Hello again,
I looked at your multi room chat example: https://github.com/Flotype/now/blob/master/examples/multiroomchat_example/multiroomchat_server.js
https://github.com/Flotype/now/blob/master/examples/multiroomchat_example/multiroomchat_server.jsMy concerns are that some developers probably do not realize that the client can actually change their own room programatically, by changing now.room.
For example, if the dev is to extend this example to include private rooms (1 to 1), a non-invited person could change his room to a private room and enter that conversation.
However, when clientWrite is set to false, this vulnerability does not exist because a call to setRoom("private1") will be rejected by the server as that user is not authenticated for that specific private room.
Just thought you might want to raise this warning in the documentation, or even set clientWrite to false by default.
You can ignore this though, as I personally do not mind since I will set clientWrite to false, but I believe that this could otherwise cause some developers to face unexpected problems.
Regards, Tom
2011/4/9 ericz < reply@reply.github.com>
Hey Tom,
Yes that was regarding function calls.
Variable changes rejections can be done at a lower level than what we're doing now. It would be a more difficult implementation but the gains are clear. I'll look into shipping that in the next version.
Thanks, Eric
On Sat, Apr 9, 2011 at 9:02 AM, tommedema reply@reply.github.com wrote:
Hi Eric,
Thanks.
Your last remark got my slightly confused though. I assume that you refuse a variable change on the server side before even looking at the given data, right? What did you mean with the size validation or was that regarding function calls?
Regards, Tom
2011/4/9 ericz < reply@reply.github.com>
Hey Tom,
We've added the clientWrite option which allows you to stop clients from writing to the server.
nowjs.initialize(httpServer, {clientWrite: false});However changes are rejected on the server side so it is important to make sure that any type of data sent to the server is rejected if it surpasses a certain size
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977420
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977548
510-691-3951 EECS Student at UC Berkeley http://ericzhang.com
Reply to this email directly or view it on GitHub: https://github.com/Flotype/now/issues/43#comment_977555
For a RIA to work, the server has to be aware of the variables of each client. Thus, the server should be the one instantiating the clients' variables of the magic synced pool.
Clients thus do not need the right to create new variables on the server. Also, the current implementation allows clients to create infinite amounts of variables causing memory problems on the server's side.