AW: [mqtt-comment] Restrict special characters in username/client id

[Clemens Vasters <clemensv@microsoft.com>]

Hi Roger,

as you point out, the client-id definition is already excluding these and all other special characters. 

I don't see an element in the specification draft that couples the username to the topic topology. Using that value to auto-generate/-infer topic names seems like an implementation choice to me. Specific authorization models as the one you cite are out of scope of the spec. 

Excluding '+' and '/' would make it specifically impossible to have base64 encoded username field, i.e. to use a key or binary identifier for that value that some broker would choose to understand. Banning '/' would also exclude cases where the username is the name of some entity from a hierarchy structure that uses '/' as separator.

Best Regards
Clemens

-----Ursprüngliche Nachricht-----
Von: mqtt-comment@lists.oasis-open.org [mailto:mqtt-comment@lists.oasis-open.org] Im Auftrag von Roger Light
Gesendet: Montag, 29. Mai 2017 17:07
An: mqtt-comment@lists.oasis-open.org
Betreff: [mqtt-comment] Restrict special characters in username/client id

Hello,

Mosquitto has the ability to control topic access based on username/client id. This has lead to a vulnerability report
CVE-2017-7650 which allows clients using e.g. '#' as their username to gain access to resources they are not allowed.

I'd like to suggest that usernames and client ids are restricted so that they may not contain a +,# or / to work against this kind of exploit. Even without there being a security issue, clients with a + or # in their username/client id would not be able to publish to a topic related to their username/client id.

I know that at the moment the client id is only required to consist of a-zA-Z0-9, but I'd like to see these restrictions explicitly.

Regards,

Roger

-- This publicly archived list offers a means to provide input to theOASIS Message Queuing Telemetry Transport (MQTT) TC.In order to verify user consent to the Feedback License terms andto minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: mqtt-comment-subscribe@lists.oasis-open.orgUnsubscribe: mqtt-comment-unsubscribe@lists.oasis-open.orgList help: mqtt-comment-help@lists.oasis-open.orgList archive: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.oasis-open.org%2Farchives%2Fmqtt-comment%2F&data=02%7C01%7Cclemensv%40microsoft.com%7Cbd64c54587c64c4df07d08d4a6d54c99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636316882423437120&sdata=bEMOFXlki%2BI9JaEg6rzPkHAUAbJLIeIdHmNOn99pZXs%3D&reserved=0Feedback License: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oasis-open.org%2Fwho%2Fipr%2Ffeedback_license.pdf&data=02%7C01%7Cclemensv%40microsoft.com%7Cbd64c54587c64c4df07d08d4a6d54c99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636316882423437120&sdata=9Ed7xs3zDFZuX0m1R9IMN3W3oBEZQi7qccpnW6FM1Ow%3D&reserved=0List Guidelines: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oasis-open.org%2Fmaillists%2Fguidelines.php&data=02%7C01%7Cclemensv%40microsoft.com%7Cbd64c54587c64c4df07d08d4a6d54c99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636316882423437120&sdata=NWzrzXIo7IxONC98YowwqbbjBY7UuFPHHeaxqmLpinU%3D&reserved=0Committee: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oasis-open.org%2Fcommittees%2Fmqtt&data=02%7C01%7Cclemensv%40microsoft.com%7Cbd64c54587c64c4df07d08d4a6d54c99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636316882423437120&sdata=86LqnZDojqeCKNfF8zjZfGwUSPXCCcclBinHFGGk4AQ%3D&reserved=0Join OASIS: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oasis-open.org%2Fjoin%2F&data=02%7C01%7Cclemensv%40microsoft.com%7Cbd64c54587c64c4df07d08d4a6d54c99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636316882423437120&sdata=mWzJ2yMQiIFJxBi0132sNAx46DVnXXUoQc7Tf1%2BCnRg%3D&reserved=0