Merge pull request #9667 from olcai/remove-clientid-in-publish-request-body

fix(mgmt_api): remove possibility to set clientid in /publish API
2023-01-10 22:31:35 +01:00 · 2023-01-10 22:31:35 +01:00 · 6bbb5edb53
parent 8f01ee41d3 fb97096405
commit 6bbb5edb53
4 changed files with 6 additions and 12 deletions
--- a/apps/emqx_management/i18n/emqx_mgmt_api_publish_i18n.conf
+++ b/apps/emqx_management/i18n/emqx_mgmt_api_publish_i18n.conf
@ -63,12 +63,6 @@ result of each individual message in the batch.
            zh: "MQTT 消息的 QoS"
        }
    }
-    clientid {
-        desc {
-            en: "Each message can be published as if it is done on behalf of an MQTT client whos ID can be specified in this field."
-            zh: "每个消息都可以带上一个 MQTT 客户端 ID，用于模拟 MQTT 客户端的发布行为。"
-        }
-    }
    payload {
        desc {
            en: "The MQTT message payload."
--- a/apps/emqx_management/src/emqx_mgmt_api_publish.erl
+++ b/apps/emqx_management/src/emqx_mgmt_api_publish.erl
@ -104,9 +104,7 @@ fields(message) ->
            })},
        {clientid,
            hoconsc:mk(binary(), #{
-                desc => ?DESC(clientid),
-                required => false,
-                example => <<"api_example_client">>
+                deprecated => {since, "v5.0.14"}
            })},
        {payload,
            hoconsc:mk(binary(), #{
@ -254,7 +252,6 @@ is_ok_deliver({_NodeOrShare, _MatchedTopic, {error, _}}) -> false.
 %% %%%%%% Below error codes are not implemented so far %%%%
 %%
 %% If HTTP request passes HTTP authentication, it is considered trusted.
-%% In the future, we may choose to check ACL for the provided MQTT Client ID
 %% 135                Not authorized                          401
 %%
 %% %%%%%% Below error codes are not applicable %%%%%%%
@ -326,7 +323,6 @@ make_message(Map) ->
    Encoding = maps:get(<<"payload_encoding">>, Map, plain),
    case decode_payload(Encoding, maps:get(<<"payload">>, Map)) of
        {ok, Payload} ->
-            From = maps:get(<<"clientid">>, Map, http_api),
            QoS = maps:get(<<"qos">>, Map, 0),
            Topic = maps:get(<<"topic">>, Map),
            Retain = maps:get(<<"retain">>, Map, false),
@ -346,7 +342,9 @@ make_message(Map) ->
                error:_Reason ->
                    throw(invalid_topic_name)
            end,
-            Message = emqx_message:make(From, QoS, Topic, Payload, #{retain => Retain}, Headers),
+            Message = emqx_message:make(
+                http_api, QoS, Topic, Payload, #{retain => Retain}, Headers
+            ),
            Size = emqx_message:estimate_size(Message),
            (Size > size_limit()) andalso throw(packet_too_large),
            {ok, Message};
--- a/changes/v5.0.14/fix-9667.en.md
+++ b/changes/v5.0.14/fix-9667.en.md
@ -0,0 +1 @@
+Remove possibility to set `clientid` for `/publish` and `/publish/bulk` HTTP APIs. This is to reduce the risk for security confusion.
--- a/changes/v5.0.14/fix-9667.zh.md
+++ b/changes/v5.0.14/fix-9667.zh.md
@ -0,0 +1 @@
+从 HTTP API /publish 和 /publish/bulk 中移除 clientid, 降低安全风险
				`@ -0,0 +1 @@`
				Remove possibility to set `clientid` for `/publish` and `/publish/bulk` HTTP APIs. This is to reduce the risk for security confusion.
				`@ -0,0 +1 @@`
				`从 HTTP API /publish 和 /publish/bulk 中移除 clientid, 降低安全风险`