From c4c473b908a62eaf839a61b657397a9c66b1f82c Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Thu, 6 Nov 2008 00:38:49 +0000
Subject: Bug 449931: [SECURITY] Unprivileged users can approve/unapprove all
 the quips (including bypassing moderation) - Patch by Robin H. Johnson
 <robbat2@gentoo.org> r/a=LpSolit

---
 quips.cgi | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'quips.cgi')

diff --git a/quips.cgi b/quips.cgi
index 295b6c83f..33b4e23ce 100755
--- a/quips.cgi
+++ b/quips.cgi
@@ -88,6 +88,11 @@ if ($action eq "add") {
 }
 
 if ($action eq 'approve') {
+    $user->in_group('admin')
+      || ThrowUserError("auth_failure", {group  => "admin",
+                                         action => "approve",
+                                         object => "quips"});
+ 
     # Read in the entire quip list
     my $quipsref = $dbh->selectall_arrayref("SELECT quipid, approved FROM quips");
     
@@ -100,11 +105,18 @@ if ($action eq 'approve') {
     my @approved;
     my @unapproved;
     foreach my $quipid (keys %quips) {
-       my $form = $cgi->param('quipid_'.$quipid) ? 1 : 0;
-       if($quips{$quipid} ne $form) {
-           if($form) { push(@approved, $quipid); }
-           else { push(@unapproved, $quipid); }
-       }
+        # Must check for each quipid being defined for concurrency and
+        # automated usage where only one quipid might be defined.
+        my $quip = $cgi->param("quipid_$quipid") ? 1 : 0;
+        if(defined($cgi->param("defined_quipid_$quipid"))) {
+            if($quips{$quipid} != $quip) {
+                if($quip) { 
+                    push(@approved, $quipid); 
+                } else { 
+                    push(@unapproved, $quipid); 
+                }
+            }
+        }
     }
     $dbh->do("UPDATE quips SET approved = 1 WHERE quipid IN (" .
             join(",", @approved) . ")") if($#approved > -1);
-- 
cgit v1.2.3-24-g4f1b