From 5f683809cde1563fc59e778364180933b3f5cf1c Mon Sep 17 00:00:00 2001
From: Ghazi Triki <ghazi.triki@riadvice.tn>
Date: Tue, 9 Feb 2021 19:03:54 +0100
Subject: [PATCH] Make sure checksum validation is done first in join API and
 display an error without redirection in failure case.

---
 .../web/controllers/ApiController.groovy             | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
index 61d5d76220..b136854f8c 100755
--- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
+++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
@@ -209,7 +209,12 @@ class ApiController {
 
     // BEGIN - backward compatibility
     if (StringUtils.isEmpty(params.checksum)) {
-      invalid("checksumError", "You did not pass the checksum security check", REDIRECT_RESPONSE)
+      invalid("checksumError", "You did not pass the checksum security check")
+      return
+    }
+
+    if (!paramsProcessorUtil.isChecksumSame(API_CALL, params.checksum, request.getQueryString())) {
+      invalid("checksumError", "You did not pass the checksum security check")
       return
     }
 
@@ -241,11 +246,6 @@ class ApiController {
       return
     }
 
-    if (!paramsProcessorUtil.isChecksumSame(API_CALL, params.checksum, request.getQueryString())) {
-      invalid("checksumError", "You did not pass the checksum security check", REDIRECT_RESPONSE)
-      return
-    }
-
     // END - backward compatibility
 
     // Do we have a checksum? If none, complain.
-- 
GitLab