[feladat @ 308]
Bugfix: when not all data was entered correctly when creating a new user, an error was displayed, but the user still was created.
Bugfix: A possible privilege escalation has been reported by Pim Rupert. This has also been adressed.
--- a/add_user.php Fri Sep 26 10:02:33 2008 +0000
+++ b/add_user.php Mon Nov 10 21:07:14 2008 +0000
@@ -49,16 +49,18 @@
echo " <td class=\"n\">" . _('Emailaddress') . "</td>\n";
echo " <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"\"></td>\n";
echo " </tr>\n";
- echo " <tr>\n";
- echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
- echo " <td class=\"n\">\n";
- echo " <select name=\"perm_templ\">\n";
- foreach (list_permission_templates() as $template) {
- echo " <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+ if (verify_permission('user_edit_templ_perm')) {
+ echo " <tr>\n";
+ echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
+ echo " <td class=\"n\">\n";
+ echo " <select name=\"perm_templ\">\n";
+ foreach (list_permission_templates() as $template) {
+ echo " <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+ }
+ echo " </select>\n";
+ echo " </td>\n";
+ echo " </tr>\n";
}
- echo " </select>\n";
- echo " </td>\n";
- echo " </tr>\n";
echo " <tr>\n";
echo " <td class=\"n\">" . _('Description') . "</td>\n";
echo " <td class=\"n\"><textarea rows=\"4\" cols=\"30\" class=\"inputarea\" name=\"descr\"></textarea></td>\n";
--- a/edit_user.php Fri Sep 26 10:02:33 2008 +0000
+++ b/edit_user.php Mon Nov 10 21:07:14 2008 +0000
@@ -114,16 +114,18 @@
echo " <td class=\"n\">" . _('Emailaddress') . "</td>\n";
echo " <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"" . $user['email'] . "\"></td>\n";
echo " </tr>\n";
- echo " <tr>\n";
- echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
- echo " <td class=\"n\">\n";
- echo " <select name=\"perm_templ\">\n";
- foreach (list_permission_templates() as $template) {
- ($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
- echo " <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+ if (verify_permission('user_edit_templ_perm')) {
+ echo " <tr>\n";
+ echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
+ echo " <td class=\"n\">\n";
+ echo " <select name=\"perm_templ\">\n";
+ foreach (list_permission_templates() as $template) {
+ ($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
+ echo " <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+ }
+ echo " </select>\n";
+ echo " </td>\n";
}
- echo " </select>\n";
- echo " </td>\n";
echo " </tr>\n";
echo " <tr>\n";
echo " <td class=\"n\">" . _('Description') . "</td>\n";
--- a/inc/users.inc.php Fri Sep 26 10:02:33 2008 +0000
+++ b/inc/users.inc.php Mon Nov 10 21:07:14 2008 +0000
@@ -313,9 +313,11 @@
$query = "UPDATE users SET
username = " . $db->quote($user, 'text') . ",
fullname = " . $db->quote($fullname, 'text') . ",
- email = " . $db->quote($email, 'text') . ",
- perm_templ = " . $db->quote($perm_templ, 'integer') . ",
- description = " . $db->quote($description, 'text') . ",
+ email = " . $db->quote($email, 'text') . ",";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= "perm_templ = " . $db->quote($perm_templ, 'integer') . ",";
+ }
+ $query .= "description = " . $db->quote($description, 'text') . ",
active = " . $db->quote($active, 'integer') ;
if($password != "") {
@@ -734,29 +736,34 @@
if (!verify_permission('user_add_new')) {
error(ERR_PERM_ADD_USER);
-
+ return false;
} elseif (user_exists($details['username'])) {
error(ERR_USER_EXISTS);
-
+ return false;
} elseif (!is_valid_email($details['email'])) {
error(ERR_INV_EMAIL);
-
+ return false;
} elseif ($details['active'] == 1) {
$active = 1;
} else {
$active = 0;
}
- $query = "INSERT INTO users (username, password, fullname, email, description, perm_templ, active) VALUES ("
+ $query = "INSERT INTO users (username, password, fullname, email, description,";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= ' perm_templ,';
+ }
+ $query .= " active) VALUES ("
. $db->quote($details['username'], 'text') . ", "
. $db->quote(md5($details['password']), 'text') . ", "
. $db->quote($details['fullname'], 'text') . ", "
. $db->quote($details['email'], 'text') . ", "
- . $db->quote($details['descr'], 'text') . ", "
- . $db->quote($details['perm_templ'], 'integer') . ", "
- . $db->quote($active, 'integer')
+ . $db->quote($details['descr'], 'text') . ", ";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= $db->quote($details['perm_templ'], 'integer') . ", ";
+ }
+ $query .= $db->quote($active, 'integer')
. ")";
-
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }