Wildcard "+" permitted in clientId and username

[siksterkashop]

In the documentation we can find that: Because client identifier and user names can be used for substitution in the permissions, MQTT wildcard characters # and + are prohibited for client identifier and user names when this extension is used. MQTT connections which include these characters are denied by this extension. Because of that clientId and username should be checked for presence of these characters. Currently we are only checking for "#" and not for "+".

IS: Character "+" can be used in username and clientId.

SHOULD BE: Both "#" and "+" should not be permitted for usage in username and clientId.

Code in com/hivemq/extensions/rbac/FileAuthAuthenticator.java:62:

//prevent clientIds with MQTT wildcard characters
        if (clientId.contains("#")) {
            //client is not authenticated
            simpleAuthOutput.failAuthentication(ConnackReasonCode.CLIENT_IDENTIFIER_NOT_VALID, "The characters '#' and '+' are not allowed in the client identifier");
            return;
        }

        //prevent usernames with MQTT wildcard characters
        if (userName.contains("#")) {
            //client is not authenticated
            simpleAuthOutput.failAuthentication(ConnackReasonCode.BAD_USER_NAME_OR_PASSWORD, "The characters '#' and '+' are not allowed in the username");
            return;
        }

[doertedev-hivemq]

awesome - can you please also invite @A-Imal, a colleague and @tamershahin who is the engineering manager for the team we discussed? :) thanks.

[siksterkashop]

Invites sent :)