From: Marcus Eggenberger Date: Sun, 24 Nov 2013 16:03:34 +0000 (+0100) Subject: Make sure that clients can't access buffers belonging to other users X-Git-Tag: 0.9.2~10 X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=commitdiff_plain;h=a1a24daa615a4e0679546c8a7a673720d0dcc60f Make sure that clients can't access buffers belonging to other users A manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases by providing an appropriate BufferID to the storage engine. Note that proper authentication was still required, so exploiting this requires malicious users on your core. This commit fixes this issue by ensuring that foreign BufferIDs are off-limits. --- diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql index 09f202e8..cccfa7cd 100644 --- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql +++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE userid = :userid AND bufferid = :bufferid diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql index a000f61e..d2dea840 100644 --- a/src/core/SQL/PostgreSQL/16/update_network.sql +++ b/src/core/SQL/PostgreSQL/16/update_network.sql @@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels, usesasl = :usesasl, saslaccount = :saslaccount, saslpassword = :saslpassword -WHERE networkid = :networkid +WHERE userid = :userid AND networkid = :networkid + diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql index 09f202e8..6bd35f0b 100644 --- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql +++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE bufferid = :bufferid AND userid = :userid