diff options
author | antirez <antirez@gmail.com> | 2019-09-11 19:42:10 +0200 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2019-09-11 19:42:10 +0200 |
commit | f4d37173fef8a020fe99a7b98e32a9201113cc09 (patch) | |
tree | bfebacda4b8394f3e3c0cfacd33474307bae8b11 | |
parent | ae8cab3296e71df1130aec59c679d682bec440ae (diff) | |
download | redis-f4d37173fef8a020fe99a7b98e32a9201113cc09.tar.gz |
ACL: protect MULTI/EXEC transactions after rules change.
-rw-r--r-- | src/multi.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/multi.c b/src/multi.c index 71090d8ed..f885fa19c 100644 --- a/src/multi.c +++ b/src/multi.c @@ -175,7 +175,19 @@ void execCommand(client *c) { must_propagate = 1; } - call(c,server.loading ? CMD_CALL_NONE : CMD_CALL_FULL); + int acl_retval = ACLCheckCommandPerm(c); + if (acl_retval != ACL_OK) { + addReplyErrorFormat(c, + "-NOPERM ACLs rules changed between the moment the " + "transaction was accumulated and the EXEC call. " + "This command is no longer allowed for the " + "following reason: %s", + (acl_retval == ACL_DENIED_CMD) ? + "no permission to execute the command or subcommand" : + "no permission to touch the specified keys"); + } else { + call(c,server.loading ? CMD_CALL_NONE : CMD_CALL_FULL); + } /* Commands may alter argc/argv, restore mstate. */ c->mstate.commands[j].argc = c->argc; |