dynsec: Forbid deleting the anon group.
This commit is contained in:
parent
7917553eb2
commit
4d1b587e29
@ -1,6 +1,14 @@
|
|||||||
2.0.15 - 2022-xx-xx
|
2.0.15 - 2022-08-16
|
||||||
===================
|
===================
|
||||||
|
|
||||||
|
Security:
|
||||||
|
- Deleting the group configured as the anonymous group in the Dynamic Security
|
||||||
|
plugin, would leave a dangling pointer that could lead to a single crash.
|
||||||
|
This is considered a minor issue - only administrative users should have
|
||||||
|
access to dynsec, the impact on availability is one-off, and there is no
|
||||||
|
associated loss of data. It is now forbidden to delete the group configured
|
||||||
|
as the anonymous group.
|
||||||
|
|
||||||
Broker:
|
Broker:
|
||||||
- Fix memory leak when a plugin modifies the topic of a message in
|
- Fix memory leak when a plugin modifies the topic of a message in
|
||||||
MOSQ_EVT_MESSAGE.
|
MOSQ_EVT_MESSAGE.
|
||||||
|
@ -466,6 +466,11 @@ int dynsec_groups__process_delete(cJSON *j_responses, struct mosquitto *context,
|
|||||||
|
|
||||||
group = dynsec_groups__find(groupname);
|
group = dynsec_groups__find(groupname);
|
||||||
if(group){
|
if(group){
|
||||||
|
if(group == dynsec_anonymous_group){
|
||||||
|
dynsec__command_reply(j_responses, context, "deleteGroup", "Deleting the anonymous group is forbidden", correlation_data);
|
||||||
|
return MOSQ_ERR_INVAL;
|
||||||
|
}
|
||||||
|
|
||||||
/* Enforce any changes */
|
/* Enforce any changes */
|
||||||
group__kick_all(group);
|
group__kick_all(group);
|
||||||
|
|
||||||
|
@ -71,6 +71,15 @@ create_role_apply_response = {'responses': [
|
|||||||
]}
|
]}
|
||||||
|
|
||||||
|
|
||||||
|
delete_anon_group_command = { "commands": [
|
||||||
|
{ "command": "deleteGroup", "groupname": "anon-clients", "correlationData": "40" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
delete_anon_group_response = {'responses': [
|
||||||
|
{'command': 'deleteGroup', "error":'Deleting the anonymous group is forbidden', 'correlationData': '40'}
|
||||||
|
]}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
rc = 1
|
rc = 1
|
||||||
keepalive = 10
|
keepalive = 10
|
||||||
@ -136,6 +145,9 @@ try:
|
|||||||
csock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port)
|
csock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port)
|
||||||
mosq_test.do_send_receive(csock, subscribe_packet, suback_packet_success, "suback 3")
|
mosq_test.do_send_receive(csock, subscribe_packet, suback_packet_success, "suback 3")
|
||||||
|
|
||||||
|
# Try to delete anon group, this should fail
|
||||||
|
command_check(sock, delete_anon_group_command, delete_anon_group_response)
|
||||||
|
|
||||||
rc = 0
|
rc = 0
|
||||||
|
|
||||||
sock.close()
|
sock.close()
|
||||||
|
Loading…
Reference in New Issue
Block a user