Fix for bug 108821: Prevent users with any blessgroupset privileges from blessing...

Patch by Jake <jake@acutex.net> and Bradley <bbaetz@cs.mcgill.ca>.
r=jake,myk for Bradley's portion, r=bbaetz,myk for Jake's portion.

diff --git a/editusers.cgi b/editusers.cgi
index 3e4a20e3b22c43af6c5f776b2695241993b5196e..a2a6ee51b7c884d171beace10dc0703094bdcf47 100755 (executable)
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -742,12 +742,14 @@ if ($action eq 'update') {
     foreach (keys %::FORM) {
         next unless /^bit_/;
         #print "$_=$::FORM{$_}<br>\n";
+        detaint_natural($::FORM{$_}) || die "Groupset field tampered with";
         $groupset .= " + $::FORM{$_}";
     }
     my $blessgroupset = "0";
     foreach (keys %::FORM) {
         next unless /^blbit_/;
         #print "$_=$::FORM{$_}<br>\n";
+        detaint_natural($::FORM{$_}) || die "Blessgroupset field tampered with";
         $blessgroupset .= " + $::FORM{$_}";
     }
 
@@ -767,7 +769,8 @@ if ($action eq 'update') {
         } else {
            SendSQL("UPDATE profiles
                     SET groupset =
-                         groupset - (groupset & $opblessgroupset) + $groupset
+                         groupset - (groupset & $opblessgroupset) + 
+                         (($groupset) & $opblessgroupset)
                     WHERE login_name=" . SqlQuote($userold));
 
            # I'm paranoid that someone who I give the ability to bless people