Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Strict meta channel recognition in server
This addresses a security vulnerability affecting user-added extensions that implement access control for channels. These extensions typically work by checking incoming messages whose channel is `/meta/subscribe` and then performing some authentication routine before allowing the message through. However, the Server parses channels in a way that means any channel namespaced under `/meta/subscribe` will also work as a subscription request. For example if the client sends a message to the channel `/meta/subscribe/x`, that will bypass most authentication extensions but will still be interpreted by the server as a subscription request, and the client will be subscribed to the requested channel. The client has thus bypassed the user's access control policy. Here we prevent this by using a strict equality check; only messages whose channel is exactly `/meta/subscribe` will be interpreted as subscription requests. The same pattern is applied to all other meta channels.
- Loading branch information
Showing
4 changed files
with
98 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters