From cae55aa381e9f73f96a49a8d039973dd6185d649 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 18 Aug 2020 08:32:21 +0100 Subject: [PATCH] Make correct allow_anonymous check in pwfile security. We always get passed the client even if it doesn't have a username/password now. --- src/security_default.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/security_default.c b/src/security_default.c index 09d17e4331..a6171a201a 100644 --- a/src/security_default.c +++ b/src/security_default.c @@ -895,6 +895,7 @@ int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *con unsigned int hash_len; int rc; #endif + bool allow_anonymous; if(!db) return MOSQ_ERR_INVAL; @@ -903,15 +904,21 @@ int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *con if(!context->listener) return MOSQ_ERR_INVAL; if(context->listener->security_options.password_file == NULL) return MOSQ_ERR_PLUGIN_DEFER; unpwd_ref = context->listener->unpwd; + allow_anonymous = context->listener->security_options.allow_anonymous; }else{ if(db->config->security_options.password_file == NULL) return MOSQ_ERR_PLUGIN_DEFER; unpwd_ref = db->unpwd; + allow_anonymous = db->config->security_options.allow_anonymous; } if(context->username == NULL){ /* Check must be made only after checking unpwd_ref. * This is DENY here, because in MQTT v5 username can be missing when * password is present, but we don't support that. */ - return MOSQ_ERR_AUTH; + if(allow_anonymous == true){ + return MOSQ_ERR_SUCCESS; + }else{ + return MOSQ_ERR_AUTH; + } } HASH_ITER(hh, unpwd_ref, u, tmp){