yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #13024 from zmstone/0513-deny-plush-hash-by-default-ACL 

fix: deny subscribing to +/# by default ACL
This commit is contained in:
Zaiming (Stone) Shi 2024-05-14 09:43:42 +02:00 committed by GitHub
parent c02701dfa1 290ebe2fc5
commit 34bf291539
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/emqx_auth/etc/acl.conf
View File

@ -4,7 +4,7 @@
{allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}. {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}. {deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
{allow, all}. {allow, all}.
%% NOTE! when deploy in production: %% NOTE! when deploy in production:

3
changes/ce/fix-13024.en.md Normal file
View File

@ -0,0 +1,3 @@
Add a default ACL deny-rule to reject subscription to `+/#` topic.
Since EMQX by default rejects subscription to `#` topic, for completeness, it should reject `+/#` as well.