ACL does not check queuename (or routingkey) on bind
----------------------------------------------------
Key: QPID-2063
URL: https://issues.apache.org/jira/browse/QPID-2063
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.5
Reporter: Tim Platten
ACL allows binding to a queue to which access should be denied. e.g.
ACL:
acl deny tes...@qpid all queue name=baz
acl allow tes...@qpid bind exchange name=foo queuename=bar routingkey=foo.bar
The following command succeed and it shouldn't
qpid-config -a baclo/ba...@localhost bind foo baz foo.bar
I believe this is because SessionAdapter::ExchangeHandlerImpl::bind is not
checking either queueName or routingKey. I.e.
AclModule* acl = getBroker().getAcl();
if (acl) {
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,routingKey)
)
should read:
AclModule* acl = getBroker().getAcl();
if (acl) {
std::map<acl::Property, std::string> params;
params.insert(make_pair(acl::PROP_QUEUENAME, queueName));
params.insert(make_pair(acl::PROP_ROUTINGKEY, routingKey));
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,¶ms)
)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
