fix: deny subscribing to +/# by default ACL

Prior to this change, EMQX default ACL has a deny rule to reject
subscribing to `#`.
For completeness, the default ACL should also deny `+/#` because
they are essentially equivalent.

apps/emqx_auth/etc/acl.conf

@@ -4,7 +4,7 @@
 
 {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
 
-{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
 
 {allow, all}.
 %% NOTE! when deploy in production:

changes/ce/fix-13024.en.md

@@ -0,0 +1,3 @@
+Add a default ACL deny-rule to reject subscription to `+/#` topic.
+
+Since EMQX by default rejects subscription to `#` topic, for completeness, it should reject `+/#` as well.