Merge pull request #8933 from huffman/fix/away-vulnerability

Fix away.js vulnerability
2025-04-20 11:45:36 +02:00 · 2016-10-27 11:55:36 -07:00 · 2016-10-27 11:55:36 -07:00 · aa3af36933
commit aa3af36933
parent 510786bc0f 1782f97dbd
1 changed files with 2 additions and 1 deletions
--- a/scripts/system/away.js
+++ b/scripts/system/away.js
@ -304,7 +304,7 @@ function setEnabled(value) {

 var CHANNEL_AWAY_ENABLE = "Hifi-Away-Enable";
 var handleMessage = function(channel, message, sender) {
-    if (channel === CHANNEL_AWAY_ENABLE) {
+    if (channel === CHANNEL_AWAY_ENABLE && sender === MyAvatar.sessionUUID) {
        print("away.js | Got message on Hifi-Away-Enable: ", message);
        setEnabled(message === 'enable');
    }
@ -344,6 +344,7 @@ Script.scriptEnding.connect(function () {
    Controller.mousePressEvent.disconnect(goActive);
    Controller.keyPressEvent.disconnect(maybeGoActive);
    Messages.messageReceived.disconnect(handleMessage);
+    Messages.unsubscribe(CHANNEL_AWAY_ENABLE);
 });

 if (HMD.active && !HMD.mounted) {