From 9a9b75674b734816b2177c82398691f24a41a483 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Tue, 3 Sep 2019 18:29:28 +0200
Subject: [PATCH] don't send WRITE_PRIVATE_MESSAGE from historyKeeper

---
 historyKeeper.js | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/historyKeeper.js b/historyKeeper.js
index 170de6233..a5a371936 100644
--- a/historyKeeper.js
+++ b/historyKeeper.js
@@ -999,8 +999,20 @@ module.exports.create = function (cfg) {
                 }
 
                 // unauthenticated RPC calls have a different message format
-                if (msg[0] === "WRITE_PRIVATE_MESSAGE" && output) {
-                    historyKeeperBroadcast(ctx, output.channel, output.message);
+                if (msg[0] === "WRITE_PRIVATE_MESSAGE" && output && output.channel) {
+                    // this is an inline reimplementation of historyKeeperBroadcast
+                    // because if we use that directly it will bypass signature validation
+                    // which opens up the user to malicious behaviour
+                    let chan = ctx.channels[output.channel];
+                    if (chan && chan.length) {
+                        chan.forEach(function (user) {
+                            sendMsg(ctx, user, output.message);
+                            //[0, null, 'MSG', user.id, JSON.stringify(output.message)]);
+                        });
+                    }
+                    // rpc and anonRpc expect their responses to be of a certain length
+                    // and we've already used the output of the rpc call, so overwrite it
+                    output = [null, null, null];
                 }
 
                 // finally, send a response to the client that sent the RPC