1
From a1a24daa615a4e0679546c8a7a673720d0dcc60f Mon Sep 17 00:00:00 2001
2
From: Marcus Eggenberger <egs@quassel-irc.org>
3
Date: Sun, 24 Nov 2013 17:03:34 +0100
4
Subject: [PATCH] Make sure that clients can't access buffers belonging to
7
A manipulated, but properly authenticated client was able to retrieve
8
the backlog of other users on the same core in some cases by providing
9
an appropriate BufferID to the storage engine. Note that proper
10
authentication was still required, so exploiting this requires
11
malicious users on your core. This commit fixes this issue by ensuring
12
that foreign BufferIDs are off-limits.
14
src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql | 2 +-
15
src/core/SQL/PostgreSQL/16/update_network.sql | 3 ++-
16
src/core/SQL/SQLite/17/select_buffer_by_id.sql | 2 +-
17
3 files changed, 4 insertions(+), 3 deletions(-)
19
diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
20
index 09f202e..cccfa7c 100644
21
--- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
22
+++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
24
SELECT bufferid, networkid, buffertype, groupid, buffername
26
-WHERE bufferid = :bufferid
27
+WHERE userid = :userid AND bufferid = :bufferid
28
diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql
29
index a000f61..d2dea84 100644
30
--- a/src/core/SQL/PostgreSQL/16/update_network.sql
31
+++ b/src/core/SQL/PostgreSQL/16/update_network.sql
32
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
34
saslaccount = :saslaccount,
35
saslpassword = :saslpassword
36
-WHERE networkid = :networkid
37
+WHERE userid = :userid AND networkid = :networkid
39
diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
40
index 09f202e..6bd35f0 100644
41
--- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql
42
+++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
44
SELECT bufferid, networkid, buffertype, groupid, buffername
46
-WHERE bufferid = :bufferid
47
+WHERE bufferid = :bufferid AND userid = :userid