Skip to content
Browse files

Bugfix: when not all data was entered correctly when creating a new u…

…ser, an error was displayed, but the user still was created.

Bugfix: A possible privilege escalation has been reported by Pim Rupert. This has also been adressed.
  • Loading branch information...
1 parent 9b6b452 commit e2a5e668eea1091361707393a035bc43140232b9 @pbeernink pbeernink committed Nov 10, 2008
Showing with 40 additions and 29 deletions.
  1. +11 −9 add_user.php
  2. +11 −9 edit_user.php
  3. +18 −11 inc/users.inc.php
View
20 add_user.php
@@ -49,16 +49,18 @@
echo " <td class=\"n\">" . _('Emailaddress') . "</td>\n";
echo " <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"\"></td>\n";
echo " </tr>\n";
- echo " <tr>\n";
- echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
- echo " <td class=\"n\">\n";
- echo " <select name=\"perm_templ\">\n";
- foreach (list_permission_templates() as $template) {
- echo " <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+ if (verify_permission('user_edit_templ_perm')) {
+ echo " <tr>\n";
+ echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
+ echo " <td class=\"n\">\n";
+ echo " <select name=\"perm_templ\">\n";
+ foreach (list_permission_templates() as $template) {
+ echo " <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+ }
+ echo " </select>\n";
+ echo " </td>\n";
+ echo " </tr>\n";
}
- echo " </select>\n";
- echo " </td>\n";
- echo " </tr>\n";
echo " <tr>\n";
echo " <td class=\"n\">" . _('Description') . "</td>\n";
echo " <td class=\"n\"><textarea rows=\"4\" cols=\"30\" class=\"inputarea\" name=\"descr\"></textarea></td>\n";
View
20 edit_user.php
@@ -114,16 +114,18 @@
echo " <td class=\"n\">" . _('Emailaddress') . "</td>\n";
echo " <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"" . $user['email'] . "\"></td>\n";
echo " </tr>\n";
- echo " <tr>\n";
- echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
- echo " <td class=\"n\">\n";
- echo " <select name=\"perm_templ\">\n";
- foreach (list_permission_templates() as $template) {
- ($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
- echo " <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+ if (verify_permission('user_edit_templ_perm')) {
+ echo " <tr>\n";
+ echo " <td class=\"n\">" . _('Permission template') . "</td>\n";
+ echo " <td class=\"n\">\n";
+ echo " <select name=\"perm_templ\">\n";
+ foreach (list_permission_templates() as $template) {
+ ($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
+ echo " <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+ }
+ echo " </select>\n";
+ echo " </td>\n";
}
- echo " </select>\n";
- echo " </td>\n";
echo " </tr>\n";
echo " <tr>\n";
echo " <td class=\"n\">" . _('Description') . "</td>\n";
View
29 inc/users.inc.php
@@ -313,9 +313,11 @@ function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $ac
$query = "UPDATE users SET
username = " . $db->quote($user, 'text') . ",
fullname = " . $db->quote($fullname, 'text') . ",
- email = " . $db->quote($email, 'text') . ",
- perm_templ = " . $db->quote($perm_templ, 'integer') . ",
- description = " . $db->quote($description, 'text') . ",
+ email = " . $db->quote($email, 'text') . ",";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= "perm_templ = " . $db->quote($perm_templ, 'integer') . ",";
+ }
+ $query .= "description = " . $db->quote($description, 'text') . ",
active = " . $db->quote($active, 'integer') ;
if($password != "") {
@@ -734,29 +736,34 @@ function add_new_user($details) {
if (!verify_permission('user_add_new')) {
error(ERR_PERM_ADD_USER);
-
+ return false;
} elseif (user_exists($details['username'])) {
error(ERR_USER_EXISTS);
-
+ return false;
} elseif (!is_valid_email($details['email'])) {
error(ERR_INV_EMAIL);
-
+ return false;
} elseif ($details['active'] == 1) {
$active = 1;
} else {
$active = 0;
}
- $query = "INSERT INTO users (username, password, fullname, email, description, perm_templ, active) VALUES ("
+ $query = "INSERT INTO users (username, password, fullname, email, description,";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= ' perm_templ,';
+ }
+ $query .= " active) VALUES ("
. $db->quote($details['username'], 'text') . ", "
. $db->quote(md5($details['password']), 'text') . ", "
. $db->quote($details['fullname'], 'text') . ", "
. $db->quote($details['email'], 'text') . ", "
- . $db->quote($details['descr'], 'text') . ", "
- . $db->quote($details['perm_templ'], 'integer') . ", "
- . $db->quote($active, 'integer')
+ . $db->quote($details['descr'], 'text') . ", ";
+ if (verify_permission('user_edit_templ_perm')) {
+ $query .= $db->quote($details['perm_templ'], 'integer') . ", ";
+ }
+ $query .= $db->quote($active, 'integer')
. ")";
-
$response = $db->query($query);
if (PEAR::isError($response)) { error($response->getMessage()); return false; }

0 comments on commit e2a5e66

Please sign in to comment.
Something went wrong with that request. Please try again.