Skip to content

Commit a1a24da

Browse files
MrEgsSput42
authored andcommitted
Make sure that clients can't access buffers belonging to other users
A manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases by providing an appropriate BufferID to the storage engine. Note that proper authentication was still required, so exploiting this requires malicious users on your core. This commit fixes this issue by ensuring that foreign BufferIDs are off-limits.
1 parent ba6a9ce commit a1a24da

File tree

3 files changed

+4
-3
lines changed

3 files changed

+4
-3
lines changed

Diff for: src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
SELECT bufferid, networkid, buffertype, groupid, buffername
22
FROM buffer
3-
WHERE bufferid = :bufferid
3+
WHERE userid = :userid AND bufferid = :bufferid

Diff for: src/core/SQL/PostgreSQL/16/update_network.sql

+2-1
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
1717
usesasl = :usesasl,
1818
saslaccount = :saslaccount,
1919
saslpassword = :saslpassword
20-
WHERE networkid = :networkid
20+
WHERE userid = :userid AND networkid = :networkid
21+

Diff for: src/core/SQL/SQLite/17/select_buffer_by_id.sql

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
SELECT bufferid, networkid, buffertype, groupid, buffername
22
FROM buffer
3-
WHERE bufferid = :bufferid
3+
WHERE bufferid = :bufferid AND userid = :userid

0 commit comments

Comments
 (0)