diff options
| -rw-r--r-- | include/proto.h | 1 | ||||
| -rw-r--r-- | mbbsd/announce.c | 10 | ||||
| -rw-r--r-- | mbbsd/board.c | 4 | ||||
| -rw-r--r-- | mbbsd/stuff.c | 10 |
4 files changed, 10 insertions, 15 deletions
diff --git a/include/proto.h b/include/proto.h index 35e2fb4e..cfeace26 100644 --- a/include/proto.h +++ b/include/proto.h @@ -607,7 +607,6 @@ void setcalfile(char *buf, char *userid); int show_file(const char *filename, int y, int lines, int mode); int cursor_key(int row, int column); int search_num(int ch, int max); -int is_BM(const char *list); void setuserfile(char *buf, const char *fname); void setbdir(char *buf, const char *boardname); void setaidfile(char *buf, const char *bn, aidu_t aidu); diff --git a/mbbsd/announce.c b/mbbsd/announce.c index 233ac5f6..35e9ecc0 100644 --- a/mbbsd/announce.c +++ b/mbbsd/announce.c @@ -1048,8 +1048,14 @@ a_menu(const char *maintitle, const char *path, if (!(me.level = lastlevel)) { char *ptr; - if ((ptr = strrchr(me.mtitle, '['))) - me.level = is_BM(ptr + 1); + // warning: this is only valid for me.level. + // is_uBM should not do anything except returning test result: + // for ex, setting user BM permission automatically. + // such extra behavior will result in any sub-op to have PERM_BM + // ability, which leads to entering BM board without authority. + // Thanks to mtdas@ptt for reporting this exploit. + if (HasUserPerm(PERM_BASIC) && (ptr = strrchr(me.mtitle, '['))) + me.level = is_uBM(ptr + 1, cuser.userid); } me.page = 9999; me.now = 0; diff --git a/mbbsd/board.c b/mbbsd/board.c index e531a0d6..b1ad5821 100644 --- a/mbbsd/board.c +++ b/mbbsd/board.c @@ -1329,9 +1329,9 @@ show_brdlist(int head, int clsflag, int newflag) static void set_menu_BM(char *BM) { - if (!HasUserPerm(PERM_NOCITIZEN) && (HasUserPerm(PERM_ALLBOARD) || is_BM(BM))) { + if (!HasUserPerm(PERM_NOCITIZEN) && (HasUserPerm(PERM_ALLBOARD) || is_uBM(BM, cuser.userid))) { currmode |= MODE_GROUPOP; - cuser.userlevel |= PERM_SYSSUBOP; + cuser.userlevel |= PERM_SYSSUBOP | PERM_BM; } } diff --git a/mbbsd/stuff.c b/mbbsd/stuff.c index 03b05d3c..4cdae745 100644 --- a/mbbsd/stuff.c +++ b/mbbsd/stuff.c @@ -87,16 +87,6 @@ is_uBM(const char *list, const char *id) } int -is_BM(const char *list) -{ - if (is_uBM(list, cuser.userid)) { - cuser.userlevel |= PERM_BM; /* Ptt 自動加上BM的權利 */ - return 1; - } - return 0; -} - -int userid_is_BM(const char *userid, const char *list) { register int ch, len; |