mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard

Published 20 hours ago verified publisher icon eclipse

[DynamicSecurity] modifyGroup command does not validate against clients

Open sszczep opened this issue 1 year ago • 2 comments

Consider following message on $CONTROL MQTT topic:

{
  "commands": [
    {
      "groupname": "groupName",
      "roles": [
        {
          "rolename": "roleName"
        }
      ],
      "clients": [
        {
          "username": "userName"
        }
      ],
      "command": "modifyGroup"
    }
  ]
}

If the role does not exist, it will result in error stating Role not found, however, the same does not apply to the nonexistent client - the command goes through successfully and results in empty clients group in database file.

I truly believe it is a mistake and should throw error in such case.

Using latest eclipse-mosquitto docker image running on Apple M1.

sszczep avatar Jul 23 '22 20:07 sszczep

Thank you, yes, the modify commands need some work to ensure that if there is an error the thing they are modifying remains unchanged.

ralight avatar Aug 06 '22 21:08 ralight

Do you want me to take a look at it? If it's a small change and you already know how to fix it, it would be great as I wouldn't need to deep dive into the source code. Please let me know.

sszczep avatar Aug 06 '22 22:08 sszczep

Thank you for the offer. It wasn't a trivial change, otherwise I would have just done it then. I've made the change now, and for the modifyClient command.

ralight avatar Aug 15 '22 23:08 ralight