From 6f66681a7a9d326e628e3a0e70de34fa20c4bb16 Mon Sep 17 00:00:00 2001
From: "myk%mozilla.org" <>
Date: Thu, 8 Nov 2001 08:52:13 +0000
Subject: Fix for bug 108821: Prevent users with any blessgroupset privileges
 from blessing any group set. Patch by Jake <jake@acutex.net> and Bradley
 <bbaetz@cs.mcgill.ca>. r=jake,myk for Bradley's portion, r=bbaetz,myk for
 Jake's portion.

---
 editusers.cgi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/editusers.cgi b/editusers.cgi
index 3e4a20e3b..a2a6ee51b 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -742,12 +742,14 @@ if ($action eq 'update') {
     foreach (keys %::FORM) {
         next unless /^bit_/;
         #print "$_=$::FORM{$_}<br>\n";
+        detaint_natural($::FORM{$_}) || die "Groupset field tampered with";
         $groupset .= " + $::FORM{$_}";
     }
     my $blessgroupset = "0";
     foreach (keys %::FORM) {
         next unless /^blbit_/;
         #print "$_=$::FORM{$_}<br>\n";
+        detaint_natural($::FORM{$_}) || die "Blessgroupset field tampered with";
         $blessgroupset .= " + $::FORM{$_}";
     }
 
@@ -767,7 +769,8 @@ if ($action eq 'update') {
         } else {
            SendSQL("UPDATE profiles
                     SET groupset =
-                         groupset - (groupset & $opblessgroupset) + $groupset
+                         groupset - (groupset & $opblessgroupset) + 
+                         (($groupset) & $opblessgroupset)
                     WHERE login_name=" . SqlQuote($userold));
 
            # I'm paranoid that someone who I give the ability to bless people
-- 
cgit v1.2.3-24-g4f1b