New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
regression because of CVE-2017-7650: clientid with / character #462
Comments
Also plugins that do proper checks are effected by this! It would be nice to be able to opt out this unwanted security... |
What about cleaning up client_id after auth plugin check instead of enforcing policy before? |
It was a mistake not to change the autogenerated IDs for mosquitto_pub/sub. This is fixed in the fixes branch. I think it will be required to allow Plugins that do proper checks are affected by this, yes, but in a survey of plugins that I could find, more were vulnerable than secure, so this was taken as the least worst option. How about a |
That would work for me, although in my case a bit of a misnomer, because the auth plugin we wrote is not susceptible to the problem, i.e. user names or client IDs never appear in topics. What about |
Any thoughts on a better name? |
Auth plugins can be configured to disable the check for +# in usernames/client ids with the auth_plugin_deny_special_chars option. Thanks to wiebeytec. Bug: #462
Checks for '/' are no longer made, this character is a much lower risk and is widely used in usernames. Bug: #462
This should be fixed in the upcoming 1.4.13 release, so I'm closing this. |
The
/
character is not allowed in the client ID since version 1.4.12. This breaks mosquitto_pub and mosquitto_sub, in generate_client_id, because they themselves use a/
.Even if that is changed, all versions installed by distros will break on this.
The
/
was included in the blacklist because it "may represent an additional risk". Perhaps it should be undone?The text was updated successfully, but these errors were encountered: