From 290ebe2fc5d8241a546b775ed9391593619e2a8a Mon Sep 17 00:00:00 2001
From: zmstone <zmstone@gmail.com>
Date: Mon, 13 May 2024 09:12:25 +0200
Subject: [PATCH] fix: deny subscribing to +/# by default ACL

Prior to this change, EMQX default ACL has a deny rule to reject
subscribing to `#`.
For completeness, the default ACL should also deny `+/#` because
they are essentially equivalent.
---
 apps/emqx_auth/etc/acl.conf | 2 +-
 changes/ce/fix-13024.en.md  | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changes/ce/fix-13024.en.md

diff --git a/apps/emqx_auth/etc/acl.conf b/apps/emqx_auth/etc/acl.conf
index 3cc0ed5b8..40fe1e1b2 100644
--- a/apps/emqx_auth/etc/acl.conf
+++ b/apps/emqx_auth/etc/acl.conf
@@ -4,7 +4,7 @@
 
 {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
 
-{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
 
 {allow, all}.
 %% NOTE! when deploy in production:
diff --git a/changes/ce/fix-13024.en.md b/changes/ce/fix-13024.en.md
new file mode 100644
index 000000000..ea4309f00
--- /dev/null
+++ b/changes/ce/fix-13024.en.md
@@ -0,0 +1,3 @@
+Add a default ACL deny-rule to reject subscription to `+/#` topic.
+
+Since EMQX by default rejects subscription to `#` topic, for completeness, it should reject `+/#` as well.