Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regression because of CVE-2017-7650: clientid with / character #462

Closed
wiebeytec opened this issue Jun 14, 2017 · 6 comments
Closed

regression because of CVE-2017-7650: clientid with / character #462

wiebeytec opened this issue Jun 14, 2017 · 6 comments
Milestone
fixes-next

Comments

@wiebeytec
Copy link

wiebeytec commented Jun 14, 2017
edited

The / character is not allowed in the client ID since version 1.4.12. This breaks mosquitto_pub and mosquitto_sub, in generate_client_id, because they themselves use a /.

Even if that is changed, all versions installed by distros will break on this.

The / was included in the blacklist because it "may represent an additional risk". Perhaps it should be undone?
@hmvp
Copy link

hmvp commented Jun 15, 2017

Also plugins that do proper checks are effected by this!
We have to move to custom builds of mosquitto because we cannot disallow '/', '+' and '#' characters.

It would be nice to be able to opt out this unwanted security...

@vavrecan
Copy link

What about cleaning up client_id after auth plugin check instead of enforcing policy before?

@ralight
Copy link
Contributor

ralight commented Jun 19, 2017

It was a mistake not to change the autogenerated IDs for mosquitto_pub/sub. This is fixed in the fixes branch.

I think it will be required to allow / in usernames given their fairly widespread use there, but the spec does not expect / to be allowed in client ids.

Plugins that do proper checks are affected by this, yes, but in a survey of plugins that I could find, more were vulnerable than secure, so this was taken as the least worst option.

How about a plugin_supports CVE-2017-7650 option to indicate that the plugin already handles it?

@wiebeytec
Copy link
Author

How about a plugin_supports CVE-2017-7650 option to indicate that the plugin already handles it?

That would work for me, although in my case a bit of a misnomer, because the auth plugin we wrote is not susceptible to the problem, i.e. user names or client IDs never appear in topics.

What about auth_plugin_cve_2017_7650_safe true?

@ralight
Copy link
Contributor

ralight commented Jun 24, 2017

auth_plugin_cve_2017_7650_safe true - I was hoping to have a single config option for this sort of situation so if something else comes up then it's just another value to add rather than a new option.

Any thoughts on a better name?

ralight added a commit that referenced this issue Jun 27, 2017
@ralight
[462] Add auth_plugin_deny_special_chars option.
c3823c0 
Auth plugins can be configured to disable the check for +# in
usernames/client ids with the auth_plugin_deny_special_chars option.

Thanks to wiebeytec.

Bug: #462
ralight added a commit that referenced this issue Jun 27, 2017
@ralight
[462] Relax CVE-2017-7650 checks.
cd17ca4 
Checks for '/' are no longer made, this character is a much lower risk
and is widely used in usernames.

Bug: #462
@ralight
Copy link
Contributor

ralight commented Jun 27, 2017

This should be fixed in the upcoming 1.4.13 release, so I'm closing this.

@ralight ralight closed this as completed Jun 27, 2017
@ralight ralight added this to the fixes-next milestone Jun 27, 2017
@lock lock bot locked as resolved and limited conversation to collaborators Aug 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
fixes-next
Development

No branches or pull requests
4 participants
@ralight @hmvp @vavrecan @wiebeytec