chiark / gitweb /
~mdw / disorder / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
disobedience/disobedience.h: Declare variables as `extern'.
[disorder] / cgi / actions.c
diff --git a/cgi/actions.c b/cgi/actions.c
index 6e180984cd6bb07650c34e6aac932cfb0f764aeb..6f094cb7780a98b928092fcfe45869d801c3e7c0 100644 (file)
--- a/cgi/actions.c
+++ b/cgi/actions.c
@@ -307,8 +307,12 @@ static int login_as(const char *username, const char *password) {
 
   if(dcgi_cookie && dcgi_client)
     disorder_revoke(dcgi_client);
 
   if(dcgi_cookie && dcgi_client)
     disorder_revoke(dcgi_client);
-  /* We'll need a new connection as we are going to stop being guest */
+  /* We'll need a new connection as we are going to stop being guest.
+   * Make sure it's unprivileged, so that the server actually bothers checking
+   * the password we supply.
+   */
   c = disorder_new(0);
   c = disorder_new(0);
+  disorder_force_unpriv(c);
   if(disorder_connect_user(c, username, password)) {
     login_error("loginfailed");
     return -1;
   if(disorder_connect_user(c, username, password)) {
     login_error("loginfailed");
     return -1;
Multi-user software jukebox -- https://www.greenend.org.uk/rjk/disorder/