Description
The excess query deletion logic is incorrect and can lead to tokens being deleted erroneously.
Issue
ntfy only allows 20 access tokens to be created per user. Since access tokens are also used by the browser session, excess tokens (> 20) are deleted when the 21st token is created. This excess deletion logic is meant to only delete tokens from the user creating the 21st token. Instead, it accidentally deleted all tokens of all other users, thereby logging everyone out of their ntfy web app sessions, and deleting all other access tokens.
This was a denial-of-service-type security issue, since it effectively allowed a single user to deny access to all other users of a ntfy instance. Please note that while tokens were erroneously deleted, nobody but the token owner ever had access to it.
Details
Original delete query:
DELETE FROM user_token
WHERE (user_id, token) NOT IN (
SELECT user_id, token
FROM user_token
WHERE user_id = ?
ORDER BY expires DESC
LIMIT ?
)Fixed query:
DELETE FROM user_token
WHERE user_id = ?
AND (user_id, token) NOT IN (
SELECT user_id, token
FROM user_token
WHERE user_id = ?
ORDER BY expires DESC
LIMIT ?
)What to do
If you run a multi-user public system, please update your instances to ntfy v2.7.0