From 4150b2f23376a28b1b26abf258cf27b38609c502 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Thu, 19 Nov 2020 12:03:51 +0000 Subject: [PATCH] dynsec: Ignore empty passwords on setClientPassword/modifyClient. --- plugins/dynamic-security/clients.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/plugins/dynamic-security/clients.c b/plugins/dynamic-security/clients.c index b3d602ae..14936bf4 100644 --- a/plugins/dynamic-security/clients.c +++ b/plugins/dynamic-security/clients.c @@ -619,6 +619,10 @@ int dynsec_clients__process_set_password(cJSON *j_responses, struct mosquitto *c dynsec__command_reply(j_responses, context, "setClientPassword", "Invalid/missing password", correlation_data); return MOSQ_ERR_INVAL; } + if(strlen(password) == 0){ + dynsec__command_reply(j_responses, context, "setClientPassword", "Empty password is not allowed", correlation_data); + return MOSQ_ERR_INVAL; + } client = dynsec_clients__find(username); if(client == NULL){ @@ -696,11 +700,14 @@ int dynsec_clients__process_modify(cJSON *j_responses, struct mosquitto *context } if(json_get_string(command, "password", &password, false) == MOSQ_ERR_SUCCESS){ - rc = client__set_password(client, password); - if(rc != MOSQ_ERR_SUCCESS){ - dynsec__command_reply(j_responses, context, "modifyClient", "Internal error", correlation_data); - mosquitto_kick_client_by_username(username, false); - return MOSQ_ERR_NOMEM; + if(strlen(password) > 0){ + /* If password == "", we just ignore it */ + rc = client__set_password(client, password); + if(rc != MOSQ_ERR_SUCCESS){ + dynsec__command_reply(j_responses, context, "modifyClient", "Internal error", correlation_data); + mosquitto_kick_client_by_username(username, false); + return MOSQ_ERR_NOMEM; + } } }