From 8da91ebf70c80440d2224b0ead60e59a757b7d5e Mon Sep 17 00:00:00 2001 From: 3nd3r Date: Sun, 12 Apr 2026 12:50:47 -0500 Subject: [PATCH] Fix #2: Validate PM room join authorization - Track pending PM invitations per socket session - pm_accept now rejects room joins unless user has a valid invite - Clean up pending invites on disconnect - Prevents eavesdropping on other users' PM conversations --- app.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/app.py b/app.py index b895747..e325ccf 100644 --- a/app.py +++ b/app.py @@ -73,6 +73,7 @@ muted_users: set = set() banned_usernames: set = set() banned_ips: set = set() message_timestamps: dict = defaultdict(list) +pending_pm_invites: dict = {} # sid → set of room names they were invited to RATE_LIMIT = 6 RATE_WINDOW = 5 @@ -360,6 +361,7 @@ def on_disconnect(): sid = request.sid user = connected_users.pop(sid, None) message_timestamps.pop(sid, None) + pending_pm_invites.pop(sid, None) if user and user.get("username"): lower = user["username"].lower() username_to_sid.pop(lower, None) @@ -526,6 +528,8 @@ def on_pm_open(data): room = _pm_room(user["username"], target) join_room(room) + if target_sid: + pending_pm_invites.setdefault(target_sid, set()).add(room) socketio.emit("pm_invite", {"from": user["username"], "room": room}, to=target_sid) emit("pm_ready", {"with": target, "room": room}) @@ -533,7 +537,14 @@ def on_pm_open(data): @socketio.on("pm_accept") def on_pm_accept(data): - join_room(data.get("room")) + sid = request.sid + room = str(data.get("room", "")) + allowed = pending_pm_invites.get(sid, set()) + if room not in allowed: + emit("error", {"msg": "Invalid or expired PM invitation."}) + return + allowed.discard(room) + join_room(room) @socketio.on("pm_message")