projects / quassel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 03c4c31) | patch
Make sure that clients can't access buffers belonging to other users
authorMarcus Eggenberger <egs@quassel-irc.org>
Sun, 24 Nov 2013 16:03:34 +0000 (17:03 +0100)
committerMarcus Eggenberger <egs@quassel-irc.org>
Sun, 24 Nov 2013 16:05:55 +0000 (17:05 +0100)
commit1fc8eb59a87c005ddfe7d21bc225bef8692b9743
tree0cf7fd24d77de375ed9642b2fd3d8a4f8118c2c6tree | snapshot
parent03c4c31e9eeb5040697881be976024aad68c4588commit | diff
Make sure that clients can't access buffers belonging to other users

A manipulated, but properly authenticated client was able to retrieve
the backlog of other users on the same core in some cases by providing
an appropriate BufferID to the storage engine. Note that proper
authentication was still required, so exploiting this requires
malicious users on your core. This commit fixes this issue by ensuring
that foreign BufferIDs are off-limits.
src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql diff | blob | history
src/core/SQL/PostgreSQL/16/update_network.sql diff | blob | history
src/core/SQL/SQLite/17/select_buffer_by_id.sql diff | blob | history
Quassel IRC