From c6ed3b43db3a7e16a96b7b2af03095c9c4821641 Mon Sep 17 00:00:00 2001 From: Thibault Duplessis Date: Sun, 19 May 2013 01:46:27 -0300 Subject: [PATCH] disable signed JS and socket hijack protection --- app/controllers/Round.scala | 8 ++------ app/views/base/layout.scala.html | 5 ++--- app/views/round/layout.scala.html | 5 ++--- app/views/round/player.scala.html | 3 +-- app/views/setup/await.scala.html | 3 +-- app/views/setup/join.scala.html | 3 +-- conf/routes | 1 - modules/game/src/main/Env.scala | 9 --------- modules/game/src/main/GameJs.scala | 17 ----------------- modules/round/src/main/Env.scala | 6 +----- modules/round/src/main/Hijack.scala | 21 --------------------- modules/round/src/main/SocketHandler.scala | 11 ++++------- public/javascripts/big.js | 3 --- 13 files changed, 14 insertions(+), 81 deletions(-) delete mode 100644 modules/game/src/main/GameJs.scala delete mode 100644 modules/round/src/main/Hijack.scala diff --git a/app/controllers/Round.scala b/app/controllers/Round.scala index c3adfae5b5..764a5ee37e 100644 --- a/app/controllers/Round.scala +++ b/app/controllers/Round.scala @@ -30,15 +30,11 @@ object Round extends LilaController with TheftPrevention { } def websocketPlayer(fullId: String) = Socket[JsValue] { implicit ctx ⇒ - (get("sri") |@| getInt("version") |@| get("tk2")).tupled ?? { - case (uid, version, token) ⇒ env.socketHandler.player(fullId, version, uid, token, ctx) + (get("sri") |@| getInt("version")).tupled ?? { + case (uid, version) ⇒ env.socketHandler.player(fullId, version, uid, ctx) } } - def signedJs(gameId: String) = OpenNoCtx { req ⇒ - JsOk(GameRepo token gameId map Env.game.gameJs.sign, CACHE_CONTROL -> "max-age=3600") - } - def player(fullId: String) = Open { implicit ctx ⇒ OptionFuResult(GameRepo pov fullId) { pov ⇒ if (pov.game.playableByAi) env.roundMap ! Tell(pov.game.id, AiPlay(_ ⇒ ())) diff --git a/app/views/base/layout.scala.html b/app/views/base/layout.scala.html index fe8d4e883e..706e834058 100644 --- a/app/views/base/layout.scala.html +++ b/app/views/base/layout.scala.html @@ -8,8 +8,7 @@ chat: Option[Html] = None, underchat: Option[Html] = None, robots: Boolean = true, moreCss: Html = Html(""), -moreJs: Html = Html(""), -signedJs: Option[String] = None)(body: Html)(implicit ctx: Context) +moreJs: Html = Html(""))(body: Html)(implicit ctx: Context) @@ -129,7 +128,7 @@ signedJs: Option[String] = None)(body: Html)(implicit ctx: Context) @jsTag("deps.min.js") - @signedJs.fold(isProd.fold(jsTagC("big.js"), jsTag("big.js")))(jsAt) + @isProd.fold(jsTagC("big.js"), jsTag("big.js")) @moreJs @if(lang.language != "en") { diff --git a/app/views/round/layout.scala.html b/app/views/round/layout.scala.html index 08f98d9745..b67ad2385a 100644 --- a/app/views/round/layout.scala.html +++ b/app/views/round/layout.scala.html @@ -1,4 +1,4 @@ -@(title: String, goodies: Html, chat: Option[Html] = None, underchat: Option[Html] = None, robots: Boolean = true, signedJs: Option[String] = None)(body: Html)(implicit ctx: Context) +@(title: String, goodies: Html, chat: Option[Html] = None, underchat: Option[Html] = None, robots: Boolean = true)(body: Html)(implicit ctx: Context) @base.layout( title = title, @@ -6,5 +6,4 @@ goodies = goodies.some, active = siteMenu.play.some, chat = chat, underchat = underchat, -robots = robots, -signedJs = signedJs)(body) +robots = robots)(body) diff --git a/app/views/round/player.scala.html b/app/views/round/player.scala.html index d2ebc84077..92ba47e3a6 100644 --- a/app/views/round/player.scala.html +++ b/app/views/round/player.scala.html @@ -14,8 +14,7 @@ title = title, goodies = views.html.game.infoBox(pov, tour), chat = roomHtml.map(round.room(_, false)), -underchat = underchat.some, -signedJs = routes.Round.signedJs(pov.gameId).toString.some) { +underchat = underchat.some) {
diff --git a/app/views/setup/join.scala.html b/app/views/setup/join.scala.html index acd40e65ee..a67536fec7 100644 --- a/app/views/setup/join.scala.html +++ b/app/views/setup/join.scala.html @@ -4,8 +4,7 @@ @round.layout( title = trans.playWithAFriend.str(), -goodies = Html(""), -signedJs = routes.Round.signedJs(pov.gameId).toString.some) { +goodies = Html("")) {
diff --git a/conf/routes b/conf/routes index 01b4f3fd64..17cd9906c9 100644 --- a/conf/routes +++ b/conf/routes @@ -38,7 +38,6 @@ GET /$gameId<[\w\-]{8}> controllers.Round.watcher(g GET /$gameId<[\w\-]{8}>/$color controllers.Round.watcher(gameId: String, color: String) GET /$fullId<[\w\-]{12}> controllers.Round.player(fullId: String) GET /$gameId<[\w\-]{8}>/$color/socket controllers.Round.websocketWatcher(gameId: String, color: String) -GET /$gameId<[\w\-]{8}>/s.js controllers.Round.signedJs(gameId: String) GET /$fullId<[\w\-]{12}>/socket controllers.Round.websocketPlayer(fullId: String) GET /$gameId<[\w\-]{8}>/$color/table controllers.Round.tableWatcher(gameId: String, color: String) GET /$fullId<[\w\-]{12}>/table controllers.Round.tablePlayer(fullId: String) diff --git a/modules/game/src/main/Env.scala b/modules/game/src/main/Env.scala index d721ebb0c1..38c645ef9a 100644 --- a/modules/game/src/main/Env.scala +++ b/modules/game/src/main/Env.scala @@ -10,8 +10,6 @@ final class Env( db: lila.db.Env, system: ActorSystem, hub: lila.hub.Env, - appPath: String, - isProd: Boolean, scheduler: lila.common.Scheduler) { private val settings = new { @@ -47,8 +45,6 @@ final class Env( lazy val rewind = Rewind - lazy val gameJs = new GameJs(path = jsPath, useCache = isProd) - // load captcher actor private val captcher = system.actorOf(Props(new Captcher), name = CaptcherName) @@ -77,9 +73,6 @@ final class Env( private lazy val titivate = new Titivate( bookmark = hub.actor.bookmark) - - private def jsPath = - "%s/%s".format(appPath, isProd.fold(JsPathCompiled, JsPathRaw)) } object Env { @@ -91,8 +84,6 @@ object Env { db = lila.db.Env.current, system = lila.common.PlayApp.system, hub = lila.hub.Env.current, - appPath = app.path.getCanonicalPath, - isProd = lila.common.PlayApp.isProd, scheduler = lila.common.PlayApp.scheduler ) } diff --git a/modules/game/src/main/GameJs.scala b/modules/game/src/main/GameJs.scala deleted file mode 100644 index 1018944df9..0000000000 --- a/modules/game/src/main/GameJs.scala +++ /dev/null @@ -1,17 +0,0 @@ -package lila.game - -private[game] final class GameJs(path: String, useCache: Boolean) { - - def unsigned: String = useCache.fold(cached, readFromSource) - - val placeholder = "--tkph--" - - def sign(token: String) = unsigned.replace(placeholder, token) - - private lazy val cached: String = readFromSource - - private def readFromSource = { - val source = scala.io.Source fromFile path - source.mkString ~ { _ ⇒ source.close } - } -} diff --git a/modules/round/src/main/Env.scala b/modules/round/src/main/Env.scala index e803d3adf1..614cec22a8 100644 --- a/modules/round/src/main/Env.scala +++ b/modules/round/src/main/Env.scala @@ -31,7 +31,6 @@ final class Env( val SocketName = config getString "socket.name" val SocketTimeout = config duration "socket.timeout" val FinisherLockTimeout = config duration "finisher.lock.timeout" - val HijackTimeout = config duration "hijack.timeout" val NetDomain = config getString "net.domain" val ActorMapName = config getString "actor.map.name" } @@ -64,8 +63,7 @@ final class Env( roundMap = roundMap, socketHub = socketHub, messenger = messenger, - flood = flood, - hijack = hijack) + flood = flood) private lazy val finisher = new Finisher( messenger = messenger, @@ -117,8 +115,6 @@ final class Env( private lazy val titivate = new Titivate(roundMap, meddler) - private lazy val hijack = new Hijack(HijackTimeout) - private lazy val takebacker = new Takebacker( messenger = messenger) diff --git a/modules/round/src/main/Hijack.scala b/modules/round/src/main/Hijack.scala deleted file mode 100644 index db244ca682..0000000000 --- a/modules/round/src/main/Hijack.scala +++ /dev/null @@ -1,21 +0,0 @@ -package lila.round - -import lila.game.Pov -import lila.user.Context -import lila.memo.ExpireSetMemo - -import scala.concurrent.duration.Duration - -private[round] final class Hijack(timeout: Duration) { - - // full game ids that have been hijacked - private val hijacks = new ExpireSetMemo(timeout) - - def apply(pov: Pov, token: String, ctx: Context) = - if (hijacks get pov.fullId) true - else if (token != pov.game.token) true ~ { _ ⇒ - loginfo("[websocket] hijacking detected %s %s".format(pov.fullId, ctx.toString)) - hijacks put pov.fullId - } - else false -} diff --git a/modules/round/src/main/SocketHandler.scala b/modules/round/src/main/SocketHandler.scala index cf6f4790ba..9619eed3e2 100644 --- a/modules/round/src/main/SocketHandler.scala +++ b/modules/round/src/main/SocketHandler.scala @@ -19,8 +19,7 @@ private[round] final class SocketHandler( roundMap: ActorRef, socketHub: ActorRef, messenger: Messenger, - flood: Flood, - hijack: Hijack) { + flood: Flood) { private def controller( gameId: String, @@ -77,17 +76,16 @@ private[round] final class SocketHandler( uid: String, ctx: Context): Fu[JsSocketHandler] = GameRepo.pov(gameId, colorName) flatMap { - _ ?? { join(_, none, version, uid, "", ctx) } + _ ?? { join(_, none, version, uid, ctx) } } def player( fullId: String, version: Int, uid: String, - token: String, ctx: Context): Fu[JsSocketHandler] = GameRepo.pov(fullId) flatMap { - _ ?? { join(_, Some(Game takePlayerId fullId), version, uid, token, ctx) } + _ ?? { join(_, Some(Game takePlayerId fullId), version, uid, ctx) } } private def join( @@ -95,7 +93,6 @@ private[round] final class SocketHandler( playerId: Option[String], version: Int, uid: String, - token: String, ctx: Context): Fu[JsSocketHandler] = for { socket ← socketHub ? GetSocket(pov.gameId) mapTo manifest[ActorRef] join = Join( @@ -103,7 +100,7 @@ private[round] final class SocketHandler( user = ctx.me, version = version, color = pov.color, - playerId = playerId filterNot (_ ⇒ hijack(pov, token, ctx))) + playerId = playerId) handler ← Handler(socket, uid, join) { case Connected(enum, member) ⇒ controller(pov.gameId, socket, uid, pov.ref, member) -> enum diff --git a/public/javascripts/big.js b/public/javascripts/big.js index e1e669165f..820b1ed9ba 100644 --- a/public/javascripts/big.js +++ b/public/javascripts/big.js @@ -647,9 +647,6 @@ var lichess_sri = Math.random().toString(36).substring(5); // 8 chars options: { name: "game" }, - params: { - tk2: "--tkph--" - }, events: { ack: function() { clearTimeout(self.socketAckTimeout);