[462] Relax CVE-2017-7650 checks.

Checks for '/' are no longer made, this character is a much lower risk and is widely used in usernames. Bug: #462
eclipse · Jun 27, 2017 · cd17ca4 · cd17ca4
1 parent c3823c0
commit cd17ca4
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -19,6 +19,8 @@ Broker:
 - Auth plugins can be configured to disable the check for +# in
  usernames/client ids with the auth_plugin_deny_special_chars option.
  Partially closes #462.
+- Restrictions for CVE-2017-7650 have been relaxed - '/' is allowed in
+ usernames/client ids.
 
 Clients:
 - Don't use / in auto-generated client ids.

diff --git a/src/security.c b/src/security.c
@@ -235,17 +235,17 @@ int mosquitto_acl_check(struct mosquitto_db *db, struct mosquitto *context, cons
  }
 
  if(db->config->auth_plugin_deny_special_chars == true){
- /* Check whether the client id or username contains a +, # or / and if
+ /* Check whether the client id or username contains a + or # and if
  * so deny access.
  *
  * Do this check for every message regardless, we have to protect the
  * plugins against possible pattern based attacks.
  */
- if(username && strpbrk(username, "+#/")){
+ if(username && strpbrk(username, "+#")){
  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username);
  return MOSQ_ERR_ACL_DENIED;
  }
- if(context->id && strpbrk(context->id, "+#/")){
+ if(context->id && strpbrk(context->id, "+#")){
  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
  return MOSQ_ERR_ACL_DENIED;
  }

diff --git a/src/security_default.c b/src/security_default.c
@@ -264,18 +264,18 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte
 
  if(acl_root){
  /* We are using pattern based acls. Check whether the username or
- * client id contains a +, # or / and if so deny access.
+ * client id contains a + or # and if so deny access.
  *
  * Without this, a malicious client may configure its username/client
  * id to bypass ACL checks (or have a username/client id that cannot
  * publish or receive messages to its own place in the hierarchy).
  */
- if(context->username && strpbrk(context->username, "+#/")){
+ if(context->username && strpbrk(context->username, "+#")){
  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username);
  return MOSQ_ERR_ACL_DENIED;
  }
 
- if(context->id && strpbrk(context->id, "+#/")){
+ if(context->id && strpbrk(context->id, "+#")){
  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
  return MOSQ_ERR_ACL_DENIED;
  }