Make sure that clients can't access buffers belonging to other users

A manipulated, but properly authenticated client was able to retrieve
the backlog of other users on the same core in some cases by providing
an appropriate BufferID to the storage engine. Note that proper
authentication was still required, so exploiting this requires
malicious users on your core. This commit fixes this issue by ensuring
that foreign BufferIDs are off-limits.

diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
index 09f202e..cccfa7c 100644 (file)
--- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
+++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
 SELECT bufferid, networkid, buffertype, groupid, buffername
 FROM buffer
-WHERE bufferid = :bufferid
+WHERE userid = :userid AND bufferid = :bufferid

diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql
index a000f61..d2dea84 100644 (file)
--- a/src/core/SQL/PostgreSQL/16/update_network.sql
+++ b/src/core/SQL/PostgreSQL/16/update_network.sql
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
 usesasl = :usesasl,
 saslaccount = :saslaccount,
 saslpassword = :saslpassword
-WHERE networkid = :networkid
+WHERE userid = :userid AND networkid = :networkid
+

diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
index 09f202e..6bd35f0 100644 (file)
--- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql
+++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
 SELECT bufferid, networkid, buffertype, groupid, buffername
 FROM buffer
-WHERE bufferid = :bufferid
+WHERE bufferid = :bufferid AND userid = :userid