From 39170d11815e94600ffa334206fe5836726df2e2 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 8 Aug 2018 13:15:54 +0100
Subject: [PATCH] ACL patterns that do not contain either %c or %u are now
 rejected.

Closes #209.

Bug: https://github.com/eclipse/mosquitto/issues/209

Signed-off-by: Roger A. Light <roger@atchoo.org>
---
 ChangeLog.txt          | 2 ++
 src/security_default.c | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 905da262..eb5d1ff9 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -16,6 +16,8 @@ Broker:
   Closes #851.
 - Fix problem opening listeners on Pi caused by unsigned char being default.
   Found via #849.
+- ACL patterns that do not contain either %c or %u are now rejected. Closes
+  #209.
 
 Library:
 - Fix some places where return codes were incorrect, including to the
diff --git a/src/security_default.c b/src/security_default.c
index c2a43b26..ea6fd21c 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -279,6 +279,14 @@ int add__acl_pattern(struct mosquitto__security_options *security_opts, const ch
 		}
 	}
 
+	if(acl->ccount == 0 && acl->ucount == 0){
+		log__printf(NULL, MOSQ_LOG_ERR,
+				"Error: ACL pattern '%s' does not contain '%%c' or '%%u'.",
+				topic);
+
+		return MOSQ_ERR_INVAL;
+	}
+
 	if(security_opts->acl_patterns){
 		acl_tail = security_opts->acl_patterns;
 		while(acl_tail->next){