From 6f4e0a15682117c398f29c2ccf562cb78eee1a7b Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Sat, 26 Sep 2020 18:49:25 +0100
Subject: [PATCH] mosquitto_passwd: Forbid the ':' character in usernames.

---
 ChangeLog.txt          | 3 +++
 src/mosquitto_passwd.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index ded3a8e2..28efef26 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,6 @@
+Broker:
+- mosquitto_password now forbids the : character. Closes #1833.
+
 Client library:
 - Fix send quota being incorrecly reset on reconnect. Closes #1822.
 - Don't use logging until log mutex is initialised. Closes #1819.
diff --git a/src/mosquitto_passwd.c b/src/mosquitto_passwd.c
index a86071f9..90f2ff43 100644
--- a/src/mosquitto_passwd.c
+++ b/src/mosquitto_passwd.c
@@ -598,6 +598,10 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 
+	if(strchr(username, ':')){
+		fprintf(stderr, "Error: Username must not contain the ':' character.\n");
+		return 1;
+	}
 #ifdef WIN32
 	password_file = _fullpath(NULL, password_file_tmp, 0);
 	if(!password_file){