From 3f81f59a2aaa2eab540ca1aaeb5e66fc337b00b3 Mon Sep 17 00:00:00 2001 From: gered Date: Thu, 12 May 2016 14:52:07 -0400 Subject: [PATCH] enforce valid session requirement for all backchannel requests not checking for this results in a NPE anyway, definitely better to return a nicer error result --- .../src/net/thegeez/browserchannel/server.clj | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/clj-browserchannel/src/net/thegeez/browserchannel/server.clj b/clj-browserchannel/src/net/thegeez/browserchannel/server.clj index e69f225..4050e19 100644 --- a/clj-browserchannel/src/net/thegeez/browserchannel/server.clj +++ b/clj-browserchannel/src/net/thegeez/browserchannel/server.clj @@ -745,10 +745,14 @@ [req options] (let [SID (get-in req [:query-params "SID"]) ;; session-agent might be nil, then it will be created by - ;; handle-forward-channel + ;; handle-forward-channel. + ;; however, we must have a non-nil session-agent (and hence, a + ;; pre-existing session) for all invocations of handle-backward-channel session-agent (@sessions SID)] - (if (and SID - (not session-agent)) + (if (or (and (= :get (:request-method req)) + (not session-agent)) + (and SID + (not session-agent))) ;; SID refers to an already created session, which therefore ;; must exist (error-response 400 "Unknown SID")