From 67f9f18eb6d222fe329a42ccfd1e82c88d4d392c Mon Sep 17 00:00:00 2001 From: Stefan Ritt Date: Fri, 31 Jan 2003 11:57:16 +0000 Subject: [PATCH] Do not allow commands which are not present in menu list SVN revision: 367 --- src/elogd.c | 289 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 187 insertions(+), 102 deletions(-) diff --git a/src/elogd.c b/src/elogd.c index b67d0c73..4c7d93eb 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -6,6 +6,9 @@ Contents: Web server program for Electronic Logbook ELOG $Log$ + Revision 1.3 2003/01/31 11:57:16 midas + Do not allow commands which are not present in menu list + Revision 1.2 2003/01/30 14:52:41 midas Change USE_CRYPT to HAVE_CRYPT @@ -524,7 +527,7 @@ \********************************************************************/ /* Version of ELOG */ -#define VERSION "2.2.6" +#define VERSION "2.3.0" #include #include @@ -4440,58 +4443,6 @@ int i, fh, wrong_pwd, size; /*------------------------------------------------------------------*/ -BOOL allow_user(LOGBOOK *lbs, char *command) -{ -char str[1000], users[2000]; -char list[MAX_N_LIST][NAME_LENGTH]; -int i, n; - - /* check for user level access */ - if (!getcfg(lbs->name, "Password file", str)) - return TRUE; - - /* check for deny */ - sprintf(str, "Deny %s", command); - if (getcfg(lbs->name, str, users)) - { - /* check if current user in list */ - n = strbreak(users, list, MAX_N_LIST); - for (i=0 ; iname, "Admin user", str)) - { - if (strstr(str, getparam("unm")) != 0) - return TRUE; - else - return FALSE; - } - } - - /* check for allow */ - sprintf(str, "Allow %s", unloc(command)); - if (!getcfg(lbs->name, str, users)) - return TRUE; - - /* check if current user in list */ - n = strbreak(users, list, MAX_N_LIST); - for (i=0 ; iname, "Password file", str)) + return TRUE; + + /* check for deny */ + sprintf(str, "Deny %s", command); + if (getcfg(lbs->name, str, users)) + { + /* check if current user in list */ + n = strbreak(users, list, MAX_N_LIST); + for (i=0 ; iname, "Admin user", str)) + { + if (strstr(str, getparam("unm")) != 0) + return TRUE; + else + return FALSE; + } + } + + /* check for allow */ + sprintf(str, "Allow %s", unloc(command)); + if (!getcfg(lbs->name, str, users)) + return TRUE; + + /* check if current user in list */ + n = strbreak(users, list, MAX_N_LIST); + for (i=0 ; iname, "Guest Menu commands", menu_str) || + *getparam("unm") != 0) + getcfg(lbs->name, "Menu commands", menu_str); + + /* default menu commands */ + if (menu_str[0] == 0) + { + strcpy(menu_str, "Back, New, Edit, Delete, Reply, Find, "); + + if (getcfg(lbs->name, "Password file", str)) + { + if (getcfg(lbs->name, "Admin user", str) && + strstr(str, getparam("unm")) != 0) + { + strcat(menu_str, "Admin, "); + } + strcat(menu_str, "Config, Logout, "); + } + else + { + strcat(menu_str, "Config, "); + } + + strcat(menu_str, "Help, "); + } + else + { + /* check for admin command */ + n = strbreak(menu_str, menu_item, MAX_N_LIST); + menu_str[0] = 0; + admin_user[0] = 0; + getcfg(lbs->name, "Admin user", admin_user); + for (i=0 ; iname, "Guest Find Menu commands", str) || + *getparam("unm") != 0) + getcfg(lbs->name, "Find Menu commands", str); + + if (str[0]) + strlcat(menu_str, str, sizeof(menu_str)); + else + { + strlcat(menu_str, "New, Find, Select, Last x, Help, ", sizeof(menu_str)); + + if (getcfg(lbs->name, "Password file", str)) + strlcat(menu_str, "Admin, Config, Logout, ", sizeof(menu_str)); + else + strlcat(menu_str, "Config, ", sizeof(menu_str)); + } + + strcpy(other_str, "Submit, Back, Search, Save, Download, Cancel, First, Last, Previous, Next, "); + + /* admin commands */ + if (getcfg(lbs->name, "Admin user", str) && + *getparam("unm") && + strstr(str, getparam("unm")) != 0) + { + strcat(other_str, "Remove user, New user, Activate, "); + } + else + if (getcfg(lbs->name, "Self register", str) && + atoi(str) > 0) + { + strcat(other_str, "Remove user, New user, "); + } + + /* allow change password if "config" possible */ + if (equal_ustring(command, loc("Change password")) && + strstr(menu_str, "Config")) + { + return TRUE; + } + /* check if command is present in the menu list, exclude non-localized submit for elog */ + else if (command[0] && !equal_ustring(command, "Submit")) + { + n = strbreak(menu_str, menu_item, MAX_N_LIST); + for (i=0 ; iname, "Admin user", str) && - *getparam("unm") && - strstr(str, getparam("unm")) != 0) - { - strcat(other_str, "Remove user, New user, Activate, "); - } - else - if (getcfg(lbs->name, "Self register", str) && - atoi(str) > 0) - { - strcat(other_str, "Remove user, New user, "); - } - - /* allow change password if "config" possible */ - if (equal_ustring(command, loc("Change password")) && - strstr(menu_str, "Config")) - { - } - /* check if command is present in the menu list, exclude non-localized submit for elog */ - else if (command[0] && !equal_ustring(command, "Submit")) - { - n = strbreak(menu_str, menu_item, MAX_N_LIST); - for (i=0 ; i%s\" not allowed"), command); - show_error(str); - return; - } - } - } - /*---- check next/previous message -------------------------------*/ if (equal_ustring(command, loc("Next")) || equal_ustring(command, loc("Previous")) || @@ -9217,7 +9294,7 @@ BOOL first; { if (i==0) rsprintf(""); - rsprintf("%s %s
\n", loc("EMail sent to"), getparam(str)); + rsprintf("%s %s
\n", loc("Email sent to"), getparam(str)); } else break; @@ -10365,7 +10442,7 @@ FILE *f; strcpy(command, loc("Last")); /* check if command allowed for current user */ - if (!allow_user(lbs, command)) + if (!is_user_allowed(lbs, command)) { sprintf(str, loc("Error: Command \"%s\" is not allowed for user \"%s\""), command, getparam("full_name")); @@ -10373,6 +10450,14 @@ FILE *f; return; } + /* check if command in menu list */ + if (!is_command_allowed(lbs, command)) + { + sprintf(str, loc("Error: Command \"%s\" not allowed"), command); + show_error(str); + return; + } + /*---- check for various commands --------------------------------*/ if (equal_ustring(command, loc("Help")))