[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Restrict special characters in username/client id
Hello, Mosquitto has the ability to control topic access based on username/client id. This has lead to a vulnerability report CVE-2017-7650 which allows clients using e.g. '#' as their username to gain access to resources they are not allowed. I'd like to suggest that usernames and client ids are restricted so that they may not contain a +,# or / to work against this kind of exploit. Even without there being a security issue, clients with a + or # in their username/client id would not be able to publish to a topic related to their username/client id. I know that at the moment the client id is only required to consist of a-zA-Z0-9, but I'd like to see these restrictions explicitly. Regards, Roger
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]