fix: deny subscribing to +/# by default ACL

Prior to this change, EMQX default ACL has a deny rule to reject subscribing to `#`. For completeness, the default ACL should also deny `+/#` because they are essentially equivalent.
2024-05-13 09:12:25 +02:00 · 2024-05-13 09:12:25 +02:00 · 290ebe2fc5
parent c02701dfa1
commit 290ebe2fc5
2 changed files with 4 additions and 1 deletions
--- a/apps/emqx_auth/etc/acl.conf
+++ b/apps/emqx_auth/etc/acl.conf
@ -4,7 +4,7 @@

 {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.

-{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.

 {allow, all}.
 %% NOTE! when deploy in production:
--- a/changes/ce/fix-13024.en.md
+++ b/changes/ce/fix-13024.en.md
@ -0,0 +1,3 @@
+Add a default ACL deny-rule to reject subscription to `+/#` topic.
+
+Since EMQX by default rejects subscription to `#` topic, for completeness, it should reject `+/#` as well.