A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <[email protected]> Signed-off-by: Lukas Fleischer <[email protected]> --- Already applied to maint branch and aur.archlinux.org setup. Anyone using a custom AUR setup should apply this patch. web/lib/acctfuncs.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 81e06b6..a41659e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); -- 1.8.0.1
