yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #9667 from olcai/remove-clientid-in-publish-request-body 

fix(mgmt_api): remove possibility to set clientid in /publish API
This commit is contained in:
Zaiming (Stone) Shi 2023-01-10 22:31:35 +01:00 committed by GitHub
parent 8f01ee41d3 fb97096405
commit 6bbb5edb53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 6 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/emqx_management/i18n/emqx_mgmt_api_publish_i18n.conf
View File

@ -63,12 +63,6 @@ result of each individual message in the batch.
zh: "MQTT 消息的 QoS" zh: "MQTT 消息的 QoS"
} }
} }
clientid {
desc {
en: "Each message can be published as if it is done on behalf of an MQTT client whos ID can be specified in this field."
zh: "每个消息都可以带上一个 MQTT 客户端 ID用于模拟 MQTT 客户端的发布行为。"
}
}
payload { payload {
desc { desc {
en: "The MQTT message payload." en: "The MQTT message payload."

10
apps/emqx_management/src/emqx_mgmt_api_publish.erl
View File

@ -104,9 +104,7 @@ fields(message) ->
})}, })},
{clientid, {clientid,
hoconsc:mk(binary(), #{ hoconsc:mk(binary(), #{
desc => ?DESC(clientid), deprecated => {since, "v5.0.14"}
required => false,
example => <<"api_example_client">>
})}, })},
{payload, {payload,
hoconsc:mk(binary(), #{ hoconsc:mk(binary(), #{
@ -254,7 +252,6 @@ is_ok_deliver({_NodeOrShare, _MatchedTopic, {error, _}}) -> false.
%% %%%%%% Below error codes are not implemented so far %%%% %% %%%%%% Below error codes are not implemented so far %%%%
%% %%
%% If HTTP request passes HTTP authentication, it is considered trusted. %% If HTTP request passes HTTP authentication, it is considered trusted.
%% In the future, we may choose to check ACL for the provided MQTT Client ID
%% 135 Not authorized 401 %% 135 Not authorized 401
%% %%
%% %%%%%% Below error codes are not applicable %%%%%%% %% %%%%%% Below error codes are not applicable %%%%%%%
@ -326,7 +323,6 @@ make_message(Map) ->
Encoding = maps:get(<<"payload_encoding">>, Map, plain), Encoding = maps:get(<<"payload_encoding">>, Map, plain),
case decode_payload(Encoding, maps:get(<<"payload">>, Map)) of case decode_payload(Encoding, maps:get(<<"payload">>, Map)) of
{ok, Payload} -> {ok, Payload} ->
From = maps:get(<<"clientid">>, Map, http_api),
QoS = maps:get(<<"qos">>, Map, 0), QoS = maps:get(<<"qos">>, Map, 0),
Topic = maps:get(<<"topic">>, Map), Topic = maps:get(<<"topic">>, Map),
Retain = maps:get(<<"retain">>, Map, false), Retain = maps:get(<<"retain">>, Map, false),
@ -346,7 +342,9 @@ make_message(Map) ->
error:_Reason -> error:_Reason ->
throw(invalid_topic_name) throw(invalid_topic_name)
end, end,
Message = emqx_message:make(From, QoS, Topic, Payload, #{retain => Retain}, Headers), Message = emqx_message:make(
http_api, QoS, Topic, Payload, #{retain => Retain}, Headers
),
Size = emqx_message:estimate_size(Message), Size = emqx_message:estimate_size(Message),
(Size > size_limit()) andalso throw(packet_too_large), (Size > size_limit()) andalso throw(packet_too_large),
{ok, Message}; {ok, Message};

1
changes/v5.0.14/fix-9667.en.md Normal file
View File

@ -0,0 +1 @@
Remove possibility to set `clientid` for `/publish` and `/publish/bulk` HTTP APIs. This is to reduce the risk for security confusion.

1
changes/v5.0.14/fix-9667.zh.md Normal file
View File

@ -0,0 +1 @@
从 HTTP API /publish 和 /publish/bulk 中移除 clientid, 降低安全风险