commit 719083107210d0a69ffcb3f9fd1d14d900816f17
parent 44b8eddded2ad9818f8b47f324d355a7c7f10d23
Author: kyle <kyle@0x30.net>
Date: Sat, 2 Jan 2016 18:20:51 -0700
sl: fix a bug where you could add yourself as a friend
- add a quick test for this too
Diffstat:
3 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/server/sl b/server/sl
@@ -350,12 +350,16 @@ sub msg_friend_add {
return "err\0friends phone number is not a valid phone number";
}
- # XXX: check they're not already a friend before doing this
- $$sth{friends}->execute($device_id, $friend);
-
# check if this added friend is a member already
$$sth{ph_num_exists}->execute($friend);
if (my ($fr_devid) = $$sth{ph_num_exists}->fetchrow_array()) {
+
+ # check if the device is trying to add itself
+ if ($fr_devid eq $device_id) {
+ log_print("device '$devid_fp' tried adding itself\n");
+ return "err\0device cannot add itself as a friend";
+ }
+
my $friends_fp = fingerprint($fr_devid);
log_print("added friend is a member\n");
log_print("friends device id is '$friends_fp'\n");
@@ -371,6 +375,8 @@ sub msg_friend_add {
}
}
+ $$sth{friends_insert}->execute($device_id, $friend);
+
return "ok\0$friend";
}
@@ -687,23 +693,23 @@ sub prepare_stmt_handles {
$stmt_handles{device_id_exists} = $dbh->prepare($sql);
# friends table queries
- $sql = qq{insert into friends (device_id, friend) values (?, ?)};
- $stmt_handles{friends} = $dbh->prepare($sql);
+ $sql = qq{insert or replace into friends (device_id, friend) values (?, ?)};
+ $stmt_handles{friends_insert} = $dbh->prepare($sql);
$sql = qq{select * from friends where device_id = ? and friend = ?};
$stmt_handles{friends_select} = $dbh->prepare($sql);
- $sql = qq{delete from friends where device_id = ?};
+ $sql = qq{delete from friends where device_id = ? and friend = ?};
$stmt_handles{friends_delete} = $dbh->prepare($sql);
# mutual_friends table
- $sql = qq{insert into mutual_friends (device_id, mutual_friend) values (?, ?)};
+ $sql = qq{insert or replace into mutual_friends (device_id, mutual_friend) values (?, ?)};
$stmt_handles{mutual_friend_insert} = $dbh->prepare($sql);
$sql = qq{select mutual_friend from mutual_friends where device_id = ?};
$stmt_handles{mutual_friend_select} = $dbh->prepare($sql);
- $sql = qq{delete from mutual_friends where device_id = ? or mutual_friend = ?};
+ $sql = qq{delete from mutual_friends where device_id = ? and mutual_friend = ?};
$stmt_handles{mutual_friends_delete} = $dbh->prepare($sql);
# lists/list_members compound queries
diff --git a/server/tests/add_friend/server.log.good b/server/tests/add_friend/server.log.good
@@ -3,8 +3,11 @@ new connection (pid = <digits>)
ssl ok, ver = 'TLSv1_2' cipher = 'ECDHE-RSA-AES128-SHA256'
device_add: success, <digits>:<base64> os <base64>
friend_add: <base64> adding <digits>
+friend_add: <base64> adding <digits>
friend_add: <base64> adding <base64>
friend_add: bad friends number <base64>
friend_add: <base64> adding <digits>
friend_add: bad friends number <digits>
+friend_add: <base64> adding <digits>
+friend_add: device <base64> tried adding itself
disconnected!
diff --git a/server/tests/add_friend/test.pl b/server/tests/add_friend/test.pl
@@ -8,11 +8,12 @@ use test;
# - adds a new friend
my $sock = new_socket();
+my $phnum = "4038675309";
my $friend1 = "4033217654";
my $friend2 = "4033217654bad";
my $msg_good = "friends phone number is not a valid phone number";
-send_msg($sock, 'device_add', "4038675309\0unix");
+send_msg($sock, 'device_add', "$phnum\0unix");
my ($msg_data) = recv_msg($sock, 'device_add');
my $device_id = check_status($msg_data, 'ok');
@@ -21,14 +22,21 @@ my $device_id = check_status($msg_data, 'ok');
send_msg($sock, 'friend_add', "$device_id\0$friend1");
($msg_data) = recv_msg($sock, 'friend_add');
-my $phnum = check_status($msg_data, 'ok');
-fail "got response ph num '$phnum' expected '$friend1'" if ($phnum ne $friend1);
+my $msg = check_status($msg_data, 'ok');
+fail "got response ph num '$msg' expected '$friend1'" if ($msg ne $friend1);
+
+# add the same friend, again
+send_msg($sock, 'friend_add', "$device_id\0$friend1");
+($msg_data) = recv_msg($sock, 'friend_add');
+
+$msg = check_status($msg_data, 'ok');
+fail "got response ph num '$msg' expected '$friend1'" if ($msg ne $friend1);
# also verify that a non numeric friends phone number isn't accepted
send_msg($sock, 'friend_add', "$device_id\0$friend2");
($msg_data) = recv_msg($sock, 'friend_add');
-my $msg = check_status($msg_data, 'err');
+$msg = check_status($msg_data, 'err');
fail "unexpected error message '$msg', expecting '$msg_good'" if ($msg ne $msg_good);
# also verify an empty phone number isn't accepted
@@ -37,3 +45,11 @@ send_msg($sock, 'friend_add', "$device_id\0");
$msg = check_status($msg_data, 'err');
fail "unexpected error message '$msg', expecting '$msg_good'" if ($msg ne $msg_good);
+
+# also verify adding yourself doesn't work
+send_msg($sock, 'friend_add', "$device_id\0$phnum");
+($msg_data) = recv_msg($sock, 'friend_add');
+
+$msg = check_status($msg_data, 'err');
+$msg_good = "device cannot add itself as a friend";
+fail "unexecpted message '$msg', expected '$msg_good'" if ($msg ne $msg_good);