From 0ffd9b4badf9bcb629efb8813e5c1f71586f382b Mon Sep 17 00:00:00 2001
From: Richard Alam <ritzalam@gmail.com>
Date: Mon, 30 Oct 2017 12:11:40 -0700
Subject: [PATCH]  - override meetingId and userId for messages from client
 making sure that clients do not spoof    messages from other users or
 meetings.

---
 bbb-apps-common/build.sbt                                  | 2 +-
 .../scala/org/bigbluebutton/client/meeting/UserActor.scala | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/bbb-apps-common/build.sbt b/bbb-apps-common/build.sbt
index ff58591c0b..79190720d8 100755
--- a/bbb-apps-common/build.sbt
+++ b/bbb-apps-common/build.sbt
@@ -3,7 +3,7 @@ name := "bbb-apps-common"
 
 organization := "org.bigbluebutton"
 
-version := "0.0.1-SNAPSHOT"
+version := "0.0.2"
 
 scalaVersion  := "2.12.2"
 
diff --git a/bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/UserActor.scala b/bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/UserActor.scala
index 10ce7a3d5a..f8c483abf6 100755
--- a/bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/UserActor.scala
+++ b/bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/UserActor.scala
@@ -101,8 +101,13 @@ class UserActor(val userId: String,
           log.info("-- trace -- " + msg.json)
         }
 
+        // Override the meetingId and userId on the message from client. This
+        // will prevent spoofing of messages. (ralam oct 30, 2017)
+        val newHeader = BbbClientMsgHeader(msgFromClient.header.name, meetingId, userId)
+        val msgClient = msgFromClient.copy(header = newHeader)
+        val json = JsonUtil.toJson(msgClient)
         for {
-          jsonNode <- convertToJsonNode(msg.json)
+          jsonNode <- convertToJsonNode(json)
         } yield {
           val akkaMsg = BbbCommonEnvJsNodeMsg(envelope, jsonNode)
           msgToAkkaAppsEventBus.publish(MsgToAkkaApps(toAkkaAppsChannel, akkaMsg))
-- 
GitLab