From ae79343138f36d2adeb434180227b9e390cf5763 Mon Sep 17 00:00:00 2001
From: gered <gered@blarg.ca>
Date: Sun, 15 May 2016 12:15:37 -0400
Subject: [PATCH] add missing RID param validation. comment changes

---
 .../src/net/thegeez/browserchannel/server.clj | 25 ++++++++++++-------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/clj-browserchannel/src/net/thegeez/browserchannel/server.clj b/clj-browserchannel/src/net/thegeez/browserchannel/server.clj
index 5ee3b01..5b3474f 100644
--- a/clj-browserchannel/src/net/thegeez/browserchannel/server.clj
+++ b/clj-browserchannel/src/net/thegeez/browserchannel/server.clj
@@ -708,7 +708,7 @@
         ;; maps contains whatever the messages to the server
         maps (get-maps req)]
     ;; if maps were received in this request, we should forward to listeners
-    ;; (client is allowed to send requests in the new session request as well,
+    ;; (client is allowed to send maps in the new session request as well,
     ;; so for both existing sessions and new sessions we do this)
     (if (and (seq maps)
              session-agent)
@@ -721,6 +721,9 @@
       ;; response is first array sent for this session:
       ;; [[0,["c", session-id, host-prefix, version (always equal to protocol-version)]]]
       ;; send as json for XHR and IE
+      ;; TODO: the server is allowed to flush any queued arrays and include them in the
+      ;;       response of this new-session request here (after the required first array
+      ;;       with the session-id, etc in it).
       (let [session     @session-agent
             session-id  (:id session)
             ;; @todo extract the used host-prefix from the request if any
@@ -741,17 +744,21 @@
 ;; GET req server->client is a backwardchannel opened by client
 (defn- handle-backward-channel
   [req session-agent options]
-  (let [type (get-in req [:query-params "TYPE"])]
+  (let [type (get-in req [:query-params "TYPE"])
+        rid  (get-in req [:query-params "RID"])]
     (cond
       (#{"xmlhttp" "html"} type)
-      ;; @todo check that query RID is "rpc"
-      {:async   :http
-       :reactor (fn [respond]
-                  (write-head respond)
-                  (send-off session-agent set-back-channel respond req))}
+      (if-not (= "rpc" rid)
+        (error-response 400 "Invalid RID")
+        {:async   :http
+         :reactor (fn [respond]
+                    (write-head respond)
+                    (send-off session-agent set-back-channel respond req))})
+
       (= type "terminate")
-      ;; this is a request made in an img tag
-      (do ;;end session
+      (do
+        ;; this is a request made in an img tag
+        ;;end session
         (when session-agent
           (send-off session-agent close req "Client disconnected"))
         {:status  200