Permalink
Browse files

Make sure that clients can't access buffers belonging to other users

A manipulated, but properly authenticated client was able to retrieve
the backlog of other users on the same core in some cases by providing
an appropriate BufferID to the storage engine. Note that proper
authentication was still required, so exploiting this requires
malicious users on your core. This commit fixes this issue by ensuring
that foreign BufferIDs are off-limits.
  • Loading branch information...
1 parent ba6a9ce commit a1a24daa615a4e0679546c8a7a673720d0dcc60f @egs-me egs-me committed with Sput42 Nov 24, 2013
View
2 src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
SELECT bufferid, networkid, buffertype, groupid, buffername
FROM buffer
-WHERE bufferid = :bufferid
+WHERE userid = :userid AND bufferid = :bufferid
View
3 src/core/SQL/PostgreSQL/16/update_network.sql
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
usesasl = :usesasl,
saslaccount = :saslaccount,
saslpassword = :saslpassword
-WHERE networkid = :networkid
+WHERE userid = :userid AND networkid = :networkid
+
View
2 src/core/SQL/SQLite/17/select_buffer_by_id.sql
@@ -1,3 +1,3 @@
SELECT bufferid, networkid, buffertype, groupid, buffername
FROM buffer
-WHERE bufferid = :bufferid
+WHERE bufferid = :bufferid AND userid = :userid

0 comments on commit a1a24da

Please sign in to comment.