From bad7ec75f04484590b845862ca788dded0690e48 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 8 Oct 2014 21:16:34 +0100 Subject: [PATCH] Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This is due to the complexity of checking wildcard ACLs against wildcard subscriptions. This does not have a negative impact on security because checks are still made before a message is sent to a client. Fixes bug Thanks to Jan-Piet Mens and Christoph Krey. --- ChangeLog.txt | 5 +++++ src/read_handle_server.c | 14 ++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/ChangeLog.txt b/ChangeLog.txt index b668d145..75e2bba8 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -5,6 +5,11 @@ Broker: - Fix possible memory leak when using a topic that has a leading slash. Fixes bug #1360985. - Fix saving persistent database on Windows. +- Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This + is due to the complexity of checking wildcard ACLs against wildcard + subscriptions. This does not have a negative impact on security because + checks are still made before a message is sent to a client. + Fixes bug #1374291. Client library: - Fix mutex being incorrectly passed by value. Fixes bug #1373785. diff --git a/src/read_handle_server.c b/src/read_handle_server.c index fc491d3a..da99a2ce 100644 --- a/src/read_handle_server.c +++ b/src/read_handle_server.c @@ -634,6 +634,19 @@ int mqtt3_handle_subscribe(struct mosquitto_db *db, struct mosquitto *context) } _mosquitto_log_printf(NULL, MOSQ_LOG_DEBUG, "\t%s (QoS %d)", sub, qos); +#if 0 + /* FIXME + * This section has been disabled temporarily. mosquitto_acl_check + * calls mosquitto_topic_matches_sub, which can't cope with + * checking subscriptions that have wildcards against ACLs that + * have wildcards. Bug #1374291 is related. + * + * It's a very difficult problem when an ACL looks like foo/+/bar + * and a subscription request to foo/# is made. + * + * This should be changed to using MOSQ_ACL_SUBSCRIPTION in the + * future anyway. + */ if(context->protocol == mosq_p_mqtt311){ rc = mosquitto_acl_check(db, context, sub, MOSQ_ACL_READ); switch(rc){ @@ -647,6 +660,7 @@ int mqtt3_handle_subscribe(struct mosquitto_db *db, struct mosquitto *context) return rc; } } +#endif if(qos != 0x80){ rc2 = mqtt3_sub_add(db, context, sub, qos, &db->subs);