From 0960259835587401d6ac5d96b0c89a7ca60232c9 Mon Sep 17 00:00:00 2001 From: antirez Date: Wed, 30 Jan 2019 15:59:45 +0100 Subject: [PATCH] ACL: don't allow patterns after the * pattern. --- src/acl.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/acl.c b/src/acl.c index cb054a7e..c4f4984a 100644 --- a/src/acl.c +++ b/src/acl.c @@ -493,6 +493,8 @@ void ACLAddAllowedSubcommand(user *u, unsigned long id, const char *sub) { * known. * EBUSY: The subcommand you want to add is about a command that is currently * fully added. + * EEXIST: You are adding a key pattern after "*" was already added. This is + * almost surely an error on the user side. */ int ACLSetUser(user *u, const char *op, ssize_t oplen) { if (oplen == -1) oplen = strlen(op); @@ -538,6 +540,10 @@ int ACLSetUser(user *u, const char *op, ssize_t oplen) { if (ln) listDelNode(u->passwords,ln); sdsfree(delpass); } else if (op[0] == '~') { + if (u->flags & USER_FLAG_ALLKEYS) { + errno = EEXIST; + return C_ERR; + } sds newpat = sdsnewlen(op+1,oplen-1); listNode *ln = listSearchKey(u->patterns,newpat); /* Avoid re-adding the same pattern multiple times. */ @@ -830,6 +836,11 @@ void aclCommand(client *c) { errmsg = "adding a subcommand of a command already fully " "added is not allowed. Remove the command to start. " "Example: -DEBUG +DEBUG|DIGEST"; + else if (errno == EEXIST) + errmsg = "adding a pattern after the * pattern (or the " + "'allkeys' flag) is not valid and does not have any " + "effect. Try 'resetkeys' to start with an empty " + "list of patterns"; addReplyErrorFormat(c, "Error in ACL SETUSER modifier '%s': %s", (char*)c->argv[j]->ptr, errmsg);