From 3251b8ba2eab22194929f08d24b66fef70cc6984 Mon Sep 17 00:00:00 2001
From: maxwell <maxwell@joindiaspora.com>
Date: Tue, 2 Nov 2010 13:58:27 -0700
Subject: [PATCH] MS IZ fixed a hole where another user could update another
 friends post

---
 lib/diaspora/user/receiving.rb          |  6 +++--
 spec/models/user/attack_vectors_spec.rb | 34 +++++++++++++++++++++----
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/lib/diaspora/user/receiving.rb b/lib/diaspora/user/receiving.rb
index 2e4a7bf8d4..b99c0539db 100644
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@@ -118,7 +118,7 @@ module Diaspora
           #you know about it, and it is not mutable
         #
         on_pod = exsists_on_pod?(post)
-        if on_pod 
+        if on_pod && on_pod.diaspora_handle == post.diaspora_handle 
           known_post = find_visible_post_by_id(post.id)
           if known_post 
             if known_post.mutable?
@@ -129,8 +129,10 @@ module Diaspora
           elsif on_pod == post 
             update_user_refs_and_add_to_aspects(on_pod)
           end
-        else
+        elsif !on_pod 
           update_user_refs_and_add_to_aspects(post)
+        else
+          Rails.logger.info("#{post.diaspora_handle} is trying to update an exsisting object they do not own #{on_pod.inspect}")
         end
       end
 
diff --git a/spec/models/user/attack_vectors_spec.rb b/spec/models/user/attack_vectors_spec.rb
index 8ee200dcee..9f9b74f6bd 100644
--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
@@ -17,11 +17,6 @@ describe "attack vectors" do
   let(:user3) { make_user }
   let(:aspect3) { user3.aspects.create(:name => 'heroes') }
 
-  before do
-    friend_users(user, aspect, user2, aspect2)
-    friend_users(user, aspect, user3, aspect3)
-  end
-
   context 'non-friend valid user' do
     
     it 'raises if receives post by non-friend' do
@@ -41,7 +36,23 @@ describe "attack vectors" do
 
   end
 
+  it 'does not let a user attach to posts previously in the db unless its received from the author' do
+    friend_users(user, aspect, user3, aspect3)
+
+    original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
+
+    original_message.diaspora_handle = user.diaspora_handle
+    user3.receive_salmon(user.salmon(original_message).xml_for(user3.person))
+    user3.reload.visible_posts.should_not include(original_message)
+  end
+
   context 'malicious friend attack vector' do
+    before do
+      friend_users(user, aspect, user2, aspect2)
+      friend_users(user, aspect, user3, aspect3)
+    end
+
+
     it 'overwrites messages with a different user' do 
       original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
 
@@ -135,5 +146,18 @@ describe "attack vectors" do
     
       user.reload.friends.count.should == 2
     end
+
+    it 'does not let me update other persons post' do
+      original_message = user2.post :album, :name => 'store this!', :to => aspect2.id
+      user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
+
+      original_message.diaspora_handle = user3.diaspora_handle
+      original_message.name = "bad bad bad"
+      xml = user3.salmon(original_message).xml_for(user.person)
+      user.receive_salmon(xml)
+
+      original_message.reload.name.should == "store this!"
+
+    end
   end
 end
-- 
GitLab