ACL: protect MULTI/EXEC transactions after rules change.

2019-09-11 19:42:10 +02:00 · 2019-09-11 19:42:10 +02:00 · e645c794cf
commit e645c794cf
parent a468b0cfb0
1 changed files with 13 additions and 1 deletions
--- a/src/multi.c
+++ b/src/multi.c
@ -175,7 +175,19 @@ void execCommand(client *c) {
            must_propagate = 1;
        }

+        int acl_retval = ACLCheckCommandPerm(c);
+        if (acl_retval != ACL_OK) {
+            addReplyErrorFormat(c,
+                "-NOPERM ACLs rules changed between the moment the "
+                "transaction was accumulated and the EXEC call. "
+                "This command is no longer allowed for the "
+                "following reason: %s",
+                (acl_retval == ACL_DENIED_CMD) ?
+                "no permission to execute the command or subcommand" :
+                "no permission to touch the specified keys");
+        } else {
            call(c,server.loading ? CMD_CALL_NONE : CMD_CALL_FULL);
+        }

        /* Commands may alter argc/argv, restore mstate. */
        c->mstate.commands[j].argc = c->argc;