diff options
author | Huang Zhw <huang_zhw@126.com> | 2021-03-26 19:10:01 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-26 14:10:01 +0300 |
commit | e138698e54e97bfaababf56507026bf92dd4deb4 (patch) | |
tree | 9546f312fda235d415cbb717f9d5eb660535f261 /src/acl.c | |
parent | db6655deb42d32374c71d00caf48efb63a13c2ec (diff) | |
download | redis-e138698e54e97bfaababf56507026bf92dd4deb4.tar.gz |
make processCommand check publish channel permissions. (#8534)
Add publish channel permissions check in processCommand.
processCommand didn't check publish channel permissions, so we can
queue a publish command in a transaction. But when exec the transaction,
it will fail with -NOPERM.
We also union keys/commands/channels permissions check togegher in
ACLCheckAllPerm. Remove pubsubCheckACLPermissionsOrReply in
publishCommand/subscribeCommand/psubscribeCommand. Always
check permissions in processCommand/execCommand/
luaRedisGenericCommand.
Diffstat (limited to 'src/acl.c')
-rw-r--r-- | src/acl.c | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -1360,6 +1360,22 @@ int ACLCheckPubsubPerm(client *c, int idx, int count, int literal, int *idxptr) } +/* Check whether the command is ready to be exceuted by ACLCheckCommandPerm. + * If check passes, then check whether pub/sub channels of the command is + * ready to be executed by ACLCheckPubsubPerm */ +int ACLCheckAllPerm(client *c, int *idxptr) { + int acl_retval = ACLCheckCommandPerm(c,idxptr); + if (acl_retval != ACL_OK) + return acl_retval; + if (c->cmd->proc == publishCommand) + acl_retval = ACLCheckPubsubPerm(c,1,1,0,idxptr); + else if (c->cmd->proc == subscribeCommand) + acl_retval = ACLCheckPubsubPerm(c,1,c->argc-1,0,idxptr); + else if (c->cmd->proc == psubscribeCommand) + acl_retval = ACLCheckPubsubPerm(c,1,c->argc-1,1,idxptr); + return acl_retval; +} + /* ============================================================================= * ACL loading / saving functions * ==========================================================================*/ |