dynsec: Forbid deleting the anon group.
This commit is contained in:
parent
7917553eb2
commit
4d1b587e29
@ -1,6 +1,14 @@
|
||||
2.0.15 - 2022-xx-xx
|
||||
2.0.15 - 2022-08-16
|
||||
===================
|
||||
|
||||
Security:
|
||||
- Deleting the group configured as the anonymous group in the Dynamic Security
|
||||
plugin, would leave a dangling pointer that could lead to a single crash.
|
||||
This is considered a minor issue - only administrative users should have
|
||||
access to dynsec, the impact on availability is one-off, and there is no
|
||||
associated loss of data. It is now forbidden to delete the group configured
|
||||
as the anonymous group.
|
||||
|
||||
Broker:
|
||||
- Fix memory leak when a plugin modifies the topic of a message in
|
||||
MOSQ_EVT_MESSAGE.
|
||||
|
@ -466,6 +466,11 @@ int dynsec_groups__process_delete(cJSON *j_responses, struct mosquitto *context,
|
||||
|
||||
group = dynsec_groups__find(groupname);
|
||||
if(group){
|
||||
if(group == dynsec_anonymous_group){
|
||||
dynsec__command_reply(j_responses, context, "deleteGroup", "Deleting the anonymous group is forbidden", correlation_data);
|
||||
return MOSQ_ERR_INVAL;
|
||||
}
|
||||
|
||||
/* Enforce any changes */
|
||||
group__kick_all(group);
|
||||
|
||||
|
@ -71,6 +71,15 @@ create_role_apply_response = {'responses': [
|
||||
]}
|
||||
|
||||
|
||||
delete_anon_group_command = { "commands": [
|
||||
{ "command": "deleteGroup", "groupname": "anon-clients", "correlationData": "40" }
|
||||
]
|
||||
}
|
||||
delete_anon_group_response = {'responses': [
|
||||
{'command': 'deleteGroup', "error":'Deleting the anonymous group is forbidden', 'correlationData': '40'}
|
||||
]}
|
||||
|
||||
|
||||
|
||||
rc = 1
|
||||
keepalive = 10
|
||||
@ -136,6 +145,9 @@ try:
|
||||
csock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port)
|
||||
mosq_test.do_send_receive(csock, subscribe_packet, suback_packet_success, "suback 3")
|
||||
|
||||
# Try to delete anon group, this should fail
|
||||
command_check(sock, delete_anon_group_command, delete_anon_group_response)
|
||||
|
||||
rc = 0
|
||||
|
||||
sock.close()
|
||||
|
Loading…
Reference in New Issue
Block a user