shlist

share and manage lists between multiple people
Log | Files | Refs

commit 719083107210d0a69ffcb3f9fd1d14d900816f17
parent 44b8eddded2ad9818f8b47f324d355a7c7f10d23
Author: kyle <kyle@0x30.net>
Date:   Sat,  2 Jan 2016 18:20:51 -0700

sl: fix a bug where you could add yourself as a friend

- add a quick test for this too

Diffstat:
Mserver/sl | 22++++++++++++++--------
Mserver/tests/add_friend/server.log.good | 3+++
Mserver/tests/add_friend/test.pl | 24++++++++++++++++++++----
3 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/server/sl b/server/sl @@ -350,12 +350,16 @@ sub msg_friend_add { return "err\0friends phone number is not a valid phone number"; } - # XXX: check they're not already a friend before doing this - $$sth{friends}->execute($device_id, $friend); - # check if this added friend is a member already $$sth{ph_num_exists}->execute($friend); if (my ($fr_devid) = $$sth{ph_num_exists}->fetchrow_array()) { + + # check if the device is trying to add itself + if ($fr_devid eq $device_id) { + log_print("device '$devid_fp' tried adding itself\n"); + return "err\0device cannot add itself as a friend"; + } + my $friends_fp = fingerprint($fr_devid); log_print("added friend is a member\n"); log_print("friends device id is '$friends_fp'\n"); @@ -371,6 +375,8 @@ sub msg_friend_add { } } + $$sth{friends_insert}->execute($device_id, $friend); + return "ok\0$friend"; } @@ -687,23 +693,23 @@ sub prepare_stmt_handles { $stmt_handles{device_id_exists} = $dbh->prepare($sql); # friends table queries - $sql = qq{insert into friends (device_id, friend) values (?, ?)}; - $stmt_handles{friends} = $dbh->prepare($sql); + $sql = qq{insert or replace into friends (device_id, friend) values (?, ?)}; + $stmt_handles{friends_insert} = $dbh->prepare($sql); $sql = qq{select * from friends where device_id = ? and friend = ?}; $stmt_handles{friends_select} = $dbh->prepare($sql); - $sql = qq{delete from friends where device_id = ?}; + $sql = qq{delete from friends where device_id = ? and friend = ?}; $stmt_handles{friends_delete} = $dbh->prepare($sql); # mutual_friends table - $sql = qq{insert into mutual_friends (device_id, mutual_friend) values (?, ?)}; + $sql = qq{insert or replace into mutual_friends (device_id, mutual_friend) values (?, ?)}; $stmt_handles{mutual_friend_insert} = $dbh->prepare($sql); $sql = qq{select mutual_friend from mutual_friends where device_id = ?}; $stmt_handles{mutual_friend_select} = $dbh->prepare($sql); - $sql = qq{delete from mutual_friends where device_id = ? or mutual_friend = ?}; + $sql = qq{delete from mutual_friends where device_id = ? and mutual_friend = ?}; $stmt_handles{mutual_friends_delete} = $dbh->prepare($sql); # lists/list_members compound queries diff --git a/server/tests/add_friend/server.log.good b/server/tests/add_friend/server.log.good @@ -3,8 +3,11 @@ new connection (pid = <digits>) ssl ok, ver = 'TLSv1_2' cipher = 'ECDHE-RSA-AES128-SHA256' device_add: success, <digits>:<base64> os <base64> friend_add: <base64> adding <digits> +friend_add: <base64> adding <digits> friend_add: <base64> adding <base64> friend_add: bad friends number <base64> friend_add: <base64> adding <digits> friend_add: bad friends number <digits> +friend_add: <base64> adding <digits> +friend_add: device <base64> tried adding itself disconnected! diff --git a/server/tests/add_friend/test.pl b/server/tests/add_friend/test.pl @@ -8,11 +8,12 @@ use test; # - adds a new friend my $sock = new_socket(); +my $phnum = "4038675309"; my $friend1 = "4033217654"; my $friend2 = "4033217654bad"; my $msg_good = "friends phone number is not a valid phone number"; -send_msg($sock, 'device_add', "4038675309\0unix"); +send_msg($sock, 'device_add', "$phnum\0unix"); my ($msg_data) = recv_msg($sock, 'device_add'); my $device_id = check_status($msg_data, 'ok'); @@ -21,14 +22,21 @@ my $device_id = check_status($msg_data, 'ok'); send_msg($sock, 'friend_add', "$device_id\0$friend1"); ($msg_data) = recv_msg($sock, 'friend_add'); -my $phnum = check_status($msg_data, 'ok'); -fail "got response ph num '$phnum' expected '$friend1'" if ($phnum ne $friend1); +my $msg = check_status($msg_data, 'ok'); +fail "got response ph num '$msg' expected '$friend1'" if ($msg ne $friend1); + +# add the same friend, again +send_msg($sock, 'friend_add', "$device_id\0$friend1"); +($msg_data) = recv_msg($sock, 'friend_add'); + +$msg = check_status($msg_data, 'ok'); +fail "got response ph num '$msg' expected '$friend1'" if ($msg ne $friend1); # also verify that a non numeric friends phone number isn't accepted send_msg($sock, 'friend_add', "$device_id\0$friend2"); ($msg_data) = recv_msg($sock, 'friend_add'); -my $msg = check_status($msg_data, 'err'); +$msg = check_status($msg_data, 'err'); fail "unexpected error message '$msg', expecting '$msg_good'" if ($msg ne $msg_good); # also verify an empty phone number isn't accepted @@ -37,3 +45,11 @@ send_msg($sock, 'friend_add', "$device_id\0"); $msg = check_status($msg_data, 'err'); fail "unexpected error message '$msg', expecting '$msg_good'" if ($msg ne $msg_good); + +# also verify adding yourself doesn't work +send_msg($sock, 'friend_add', "$device_id\0$phnum"); +($msg_data) = recv_msg($sock, 'friend_add'); + +$msg = check_status($msg_data, 'err'); +$msg_good = "device cannot add itself as a friend"; +fail "unexecpted message '$msg', expected '$msg_good'" if ($msg ne $msg_good);