From a6e44aa251cf09f060dbc794d35be732d71ce131 Mon Sep 17 00:00:00 2001 Message-Id: From: Mark Wooding Date: Sun, 31 Jul 2011 16:55:51 +0100 Subject: [PATCH] SECURITY: server: don't allow local connections to adduser/deluser. Organization: Straylight/Edgeware From: Richard Kettlewell As of this change, the only thing that needs only RIGHT__LOCAL is 'reminder'. This has been wrong since eb5dc014179415a0e5476e986519ac96c36221f9 (December 2007) and was first released in DisOrder 3.0. --- server/server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server/server.c b/server/server.c index 858edbc..0ebfb4f 100644 --- a/server/server.c +++ b/server/server.c @@ -1855,12 +1855,12 @@ static const struct command { */ rights_type rights; } commands[] = { - { "adduser", 2, 3, c_adduser, RIGHT_ADMIN|RIGHT__LOCAL }, + { "adduser", 2, 3, c_adduser, RIGHT_ADMIN }, { "adopt", 1, 1, c_adopt, RIGHT_PLAY }, { "allfiles", 0, 2, c_allfiles, RIGHT_READ }, { "confirm", 1, 1, c_confirm, 0 }, { "cookie", 1, 1, c_cookie, 0 }, - { "deluser", 1, 1, c_deluser, RIGHT_ADMIN|RIGHT__LOCAL }, + { "deluser", 1, 1, c_deluser, RIGHT_ADMIN }, { "dirs", 0, 2, c_dirs, RIGHT_READ }, { "disable", 0, 1, c_disable, RIGHT_GLOBAL_PREFS }, { "edituser", 3, 3, c_edituser, RIGHT_ADMIN|RIGHT_USERINFO }, @@ -1897,7 +1897,7 @@ static const struct command { { "random-enabled", 0, 0, c_random_enabled, RIGHT_READ }, { "recent", 0, 0, c_recent, RIGHT_READ }, { "reconfigure", 0, 0, c_reconfigure, RIGHT_ADMIN }, - { "register", 3, 3, c_register, RIGHT_REGISTER|RIGHT__LOCAL }, + { "register", 3, 3, c_register, RIGHT_REGISTER }, { "reminder", 1, 1, c_reminder, RIGHT__LOCAL }, { "remove", 1, 1, c_remove, RIGHT_REMOVE__MASK }, { "rescan", 0, INT_MAX, c_rescan, RIGHT_RESCAN }, -- [mdw]