From a1a24daa615a4e0679546c8a7a673720d0dcc60f Mon Sep 17 00:00:00 2001 From: Marcus Eggenberger Date: Sun, 24 Nov 2013 17:03:34 +0100 Subject: [PATCH] Make sure that clients can't access buffers belonging to other users A manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases by providing an appropriate BufferID to the storage engine. Note that proper authentication was still required, so exploiting this requires malicious users on your core. This commit fixes this issue by ensuring that foreign BufferIDs are off-limits. --- src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql | 2 +- src/core/SQL/PostgreSQL/16/update_network.sql | 3 ++- src/core/SQL/SQLite/17/select_buffer_by_id.sql | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql index 09f202e8..cccfa7cd 100644 --- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql +++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE userid = :userid AND bufferid = :bufferid diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql index a000f61e..d2dea840 100644 --- a/src/core/SQL/PostgreSQL/16/update_network.sql +++ b/src/core/SQL/PostgreSQL/16/update_network.sql @@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels, usesasl = :usesasl, saslaccount = :saslaccount, saslpassword = :saslpassword -WHERE networkid = :networkid +WHERE userid = :userid AND networkid = :networkid + diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql index 09f202e8..6bd35f0b 100644 --- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql +++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql @@ -1,3 +1,3 @@ SELECT bufferid, networkid, buffertype, groupid, buffername FROM buffer -WHERE bufferid = :bufferid +WHERE bufferid = :bufferid AND userid = :userid -- 2.20.1