From 69c9cb0679788ad922528ae140249a1c0ba88da7 Mon Sep 17 00:00:00 2001
From: piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Mon, 5 May 2008 01:44:59 +0000
Subject: - security exploit: calling localtime() during getdata() may change
 the log date result of recommend(). - (internal) money verification code
 refine

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@4269 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/bbs.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

(limited to 'mbbsd')

diff --git a/mbbsd/bbs.c b/mbbsd/bbs.c
index f99ea0a8..e0add447 100644
--- a/mbbsd/bbs.c
+++ b/mbbsd/bbs.c
@@ -1094,10 +1094,14 @@ do_general(int isbid)
     owner = cuser.userid;
 #endif
 
-    /* ¿ú */
+    // ---- BEGIN OF MONEY VERIFICATION ----
+
+    // money verification
+#ifdef MAX_POST_MONEY
     if (aborted > MAX_POST_MONEY * 2)
 	aborted = MAX_POST_MONEY;
     else
+#endif
 	aborted /= 2;
 
     // drop money for free boards
@@ -1106,17 +1110,24 @@ do_general(int isbid)
 	aborted = 0;
     }
 
+    // also drop for anonymos/bid posts
     if(ifuseanony) {
+	aborted = 0;
 	postfile.filemode |= FILE_ANONYMOUS;
 	postfile.multi.anon_uid = currutmp->uid;
     }
+    else if (isbid) {
+	aborted = 0;
+    }
     else if(!isbid)
     {
 	/* general article */
 	postfile.modified = dasht(fpath);
 	postfile.multi.money = aborted;
     }
-    
+
+    // ---- END OF MONEY VERIFICATION ----
+
     strlcpy(postfile.owner, owner, sizeof(postfile.owner));
     strlcpy(postfile.title, save_title, sizeof(postfile.title));
     if (islocal)		/* local save */
@@ -1180,10 +1191,6 @@ do_general(int isbid)
 	}
 	outs("¶¶§Q¶K¥X§G§i¡A");
 
-#ifdef MAX_POST_MONEY
-	if (aborted > MAX_POST_MONEY)
-	    aborted = MAX_POST_MONEY;
-#endif
 	// Freeboard/BRD_BAD check was already done.
 	if (!ifuseanony) 
 	{
@@ -3001,6 +3008,9 @@ recommend(int ent, fileheader_t * fhdr, const char *direct)
 	/* build tail first. */
 	char tail[STRLEN];
 
+	// sync time again because ptime may be changed during
+	// getdata().
+	ptime = localtime4(&now);
 	if(logIP)
 	{
 	    snprintf(tail, sizeof(tail),
@@ -3308,8 +3318,12 @@ del_post(int ent, fileheader_t * fhdr, char *direct)
 	    if (fhdr->multi.money < 0 || 
 		IsFreeBoardName(currboard) || (currbrdattr & BRD_BAD) ||
 		(currmode & MODE_DIGEST) ||
+		(fhdr->filemode & INVALIDMONEY_MODES) ||
+		/*
 		(fhdr->filemode & FILE_ANONYMOUS) ||
-		(fhdr->filemode & FILE_BID))
+		(fhdr->filemode & FILE_BID) ||
+		*/
+		0)
 		fhdr->multi.money = 0;
 
 	    if (fhdr->multi.money <= 0)
@@ -3329,7 +3343,7 @@ del_post(int ent, fileheader_t * fhdr, char *direct)
 #endif
 		}
 	    } 
-	    else 
+	    else
 	    {
 		// owner case
 		if (cuser.numposts)
-- 
cgit v1.2.3