Package: mosquitto-clients Version: 1.4.10-3 Severity: normal Dear Maintainer,
I configured my mosquitto server with password_file and acl_file. After this I tried to subscribe some topic with mosquitto_sub -h <server> -u <user> -P <password> -v -t # Using this command gives no error message but also no output, while there is MQTT traffic on the bus. But in the server log I see: 1501432282: ACL denying access to client with dangerous client id "mosqsub/14944-dinghy" where 14944 seems to be the PID of my mosquitto_sub process and dinghy is the client hostname. Tis error message seems to be generated by mosquitto-1.4.10_cve-2017-7650.patch, which triggers this message if context->id contains any of "+#/". Bad news: "/" is part of the default client id generated by mosquitto_sub. As a workaround I can change the client id like this: mosquitto_sub -h <server> -u <user> -P <password> -I myclientid -v -t # and everything works correct. I think that the default client id generated by mosquitto_sub shouldn't contain a "/", if mosquitto considers this dangerous (maybe this consideration of the server is a little to restrictive?). Greetings Roland BTW: Same affects jessie with package version 1.3.4-2+deb8u1 -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8), LANGUAGE=de_DE:de:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mosquitto-clients depends on: ii libc6 2.24-11+deb9u1 ii libmosquitto1 1.4.10-3 mosquitto-clients recommends no packages. mosquitto-clients suggests no packages. -- no debconf information