From: Marcus Eggenberger Date: Sun, 24 Nov 2013 16:03:34 +0000 (+0100) Subject: Make sure that clients can't access buffers belonging to other users X-Git-Tag: 0.10-beta1~88 X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=commitdiff_plain;h=1fc8eb59a87c005ddfe7d21bc225bef8692b9743 Make sure that clients can't access buffers belonging to other users A manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases by providing an appropriate BufferID to the storage engine. Note that proper authentication was still required, so exploiting this requires malicious users on your core. This commit fixes this issue by ensuring that foreign BufferIDs are off-limits. --- diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql index 09f202e8..cccfa7cd 100644 --- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql +++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE userid = :userid AND bufferid = :bufferid diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql index a000f61e..d2dea840 100644 --- a/src/core/SQL/PostgreSQL/16/update_network.sql +++ b/src/core/SQL/PostgreSQL/16/update_network.sql @@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels, usesasl = :usesasl, saslaccount = :saslaccount, saslpassword = :saslpassword -WHERE networkid = :networkid +WHERE userid = :userid AND networkid = :networkid + diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql index 09f202e8..6bd35f0b 100644 --- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql +++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE bufferid = :bufferid AND userid = :userid