Don't allow access to clients when authenticating if a security plugin returns an application error. Fixes bug #1340782.
Thanks to Charlie Davis.
This commit is contained in:
parent
8efb4f9334
commit
e5aa843ec7
@ -10,6 +10,8 @@ Clients:
|
||||
================
|
||||
|
||||
Broker:
|
||||
- Don't allow access to clients when authenticating if a security plugin
|
||||
returns an application error. Fixes bug #1340782.
|
||||
- Ensure that bridges verify certificates by default when using TLS.
|
||||
- Fix possible crash when using pattern ACLs that do not include a %u and
|
||||
clients that connect without a username.
|
||||
|
16
src/bridge.c
16
src/bridge.c
@ -163,11 +163,19 @@ int mqtt3_bridge_connect(struct mosquitto_db *db, struct mosquitto *context)
|
||||
}
|
||||
|
||||
rc = mosquitto_unpwd_check(db, context->bridge->local_username, context->bridge->local_password);
|
||||
if(rc == MOSQ_ERR_AUTH){
|
||||
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Bridge %s failed authentication on local broker.", context->id);
|
||||
return rc;
|
||||
switch(rc){
|
||||
case MOSQ_ERR_SUCCESS:
|
||||
break;
|
||||
case MOSQ_ERR_AUTH:
|
||||
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Bridge %s failed authentication on local broker.", context->id);
|
||||
return rc;
|
||||
case MOSQ_ERR_UNKNOWN:
|
||||
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Bridge %s returned application error in authorisation.", context->id);
|
||||
return rc;
|
||||
default:
|
||||
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Unknown error in authentication for bridge %s.", context->id);
|
||||
return rc;
|
||||
}
|
||||
rc = 0;
|
||||
|
||||
/* Delete all local subscriptions even for clean_session==false. We don't
|
||||
* remove any messages and the next loop carries out the resubscription
|
||||
|
@ -344,13 +344,20 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
|
||||
#endif /* WITH_TLS */
|
||||
if(username_flag){
|
||||
rc = mosquitto_unpwd_check(db, username, password);
|
||||
if(rc == MOSQ_ERR_AUTH){
|
||||
_mosquitto_send_connack(context, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
|
||||
mqtt3_context_disconnect(db, context);
|
||||
rc = MOSQ_ERR_SUCCESS;
|
||||
goto handle_connect_error;
|
||||
}else if(rc == MOSQ_ERR_INVAL){
|
||||
goto handle_connect_error;
|
||||
switch(rc){
|
||||
case MOSQ_ERR_SUCCESS:
|
||||
break;
|
||||
case MOSQ_ERR_AUTH:
|
||||
_mosquitto_send_connack(context, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
|
||||
mqtt3_context_disconnect(db, context);
|
||||
rc = MOSQ_ERR_SUCCESS;
|
||||
goto handle_connect_error;
|
||||
break;
|
||||
default:
|
||||
mqtt3_context_disconnect(db, context);
|
||||
rc = MOSQ_ERR_SUCCESS;
|
||||
goto handle_connect_error;
|
||||
break;
|
||||
}
|
||||
context->username = username;
|
||||
context->password = password;
|
||||
@ -629,8 +636,15 @@ int mqtt3_handle_subscribe(struct mosquitto_db *db, struct mosquitto *context)
|
||||
|
||||
if(context->protocol == mosq_p_mqtt311){
|
||||
rc = mosquitto_acl_check(db, context, sub, MOSQ_ACL_READ);
|
||||
if(rc == MOSQ_ERR_ACL_DENIED){
|
||||
qos = 0x80;
|
||||
switch(rc){
|
||||
case MOSQ_ERR_SUCCESS:
|
||||
break;
|
||||
case MOSQ_ERR_ACL_DENIED:
|
||||
qos = 0x80;
|
||||
break;
|
||||
default:
|
||||
_mosquitto_free(sub);
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -92,7 +92,7 @@ static int _subs_process(struct mosquitto_db *db, struct _mosquitto_subhier *hie
|
||||
hier->retained = NULL;
|
||||
}
|
||||
}
|
||||
while(source_id && leaf){
|
||||
while(source_id && leaf && ){
|
||||
if(leaf->context->is_bridge && !strcmp(leaf->context->id, source_id)){
|
||||
leaf = leaf->next;
|
||||
continue;
|
||||
@ -131,7 +131,7 @@ static int _subs_process(struct mosquitto_db *db, struct _mosquitto_subhier *hie
|
||||
}
|
||||
if(mqtt3_db_message_insert(db, leaf->context, mid, mosq_md_out, msg_qos, client_retain, stored) == 1) rc = 1;
|
||||
}else{
|
||||
rc = 1;
|
||||
return 1; /* Application error */
|
||||
}
|
||||
leaf = leaf->next;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user