Make sure that clients can't access buffers belonging to other users

A manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases by providing an appropriate BufferID to the storage engine. Note that proper authentication was still required, so exploiting this requires malicious users on your core. This commit fixes this issue by ensuring that foreign BufferIDs are off-limits.
quassel · Nov 24, 2013 · 1fc8eb5 · 1fc8eb5
1 parent 03c4c31
commit 1fc8eb5
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
 SELECT bufferid, networkid, buffertype, groupid, buffername
 FROM buffer
-WHERE bufferid = :bufferid
+WHERE userid = :userid AND bufferid = :bufferid
diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
 usesasl = :usesasl,
 saslaccount = :saslaccount,
 saslpassword = :saslpassword
-WHERE networkid = :networkid
+WHERE userid = :userid AND networkid = :networkid
+
diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
 SELECT bufferid, networkid, buffertype, groupid, buffername
 FROM buffer
-WHERE bufferid = :bufferid
+WHERE bufferid = :bufferid AND userid = :userid