Changeset 3183c21 for storage.c


Ignore:
Timestamp:
2008-09-06T22:59:32Z (11 years ago)
Author:
Wilmer van der Gaast <wilmer@…>
Branches:
master
Children:
15d1469
Parents:
0a4f6f4
Message:

Completely reviewed all uses of irc->password, irc_setpass() and
USTATUS_IDENTIFIED after another account overwriting vulnerability was
found by Tero Marttila.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • storage.c

    r0a4f6f4 r3183c21  
    103103}
    104104
    105 storage_status_t storage_load (const char *nick, const char *password, irc_t * irc)
    106 {
    107         GList *gl;
     105storage_status_t storage_load (irc_t * irc, const char *password)
     106{
     107        GList *gl;
     108       
     109        if (irc && irc->status & USTATUS_IDENTIFIED)
     110                return STORAGE_OTHER_ERROR;
    108111       
    109112        /* Loop until we don't get NO_SUCH_USER */
     
    112115                storage_status_t status;
    113116
    114                 status = st->load(nick, password, irc);
    115                 if (status == STORAGE_OK) {
    116                         irc_setpass(irc, password);
     117                status = st->load(irc, password);
     118                if (status == STORAGE_OK)
    117119                        return status;
    118                 }
    119120               
    120121                if (status != STORAGE_NO_SUCH_USER)
     
    125126}
    126127
    127 storage_status_t storage_save (irc_t *irc, int overwrite)
    128 {
    129         return ((storage_t *)global.storage->data)->save(irc, overwrite);
     128storage_status_t storage_save (irc_t *irc, char *password, int overwrite)
     129{
     130        storage_status_t st;
     131       
     132        if (password != NULL) {
     133                /* Should only use this in the "register" command. */
     134                if (irc->password || overwrite)
     135                        return STORAGE_OTHER_ERROR;
     136               
     137                irc_setpass(irc, password);
     138        } else if ((irc->status & USTATUS_IDENTIFIED) == 0) {
     139                return STORAGE_NO_SUCH_USER;
     140        }
     141       
     142        st = ((storage_t *)global.storage->data)->save(irc, overwrite);
     143       
     144        if (password != NULL) {
     145                irc_setpass(irc, NULL);
     146        }
     147       
     148        return st;
    130149}
    131150
     
    143162
    144163                status = st->remove(nick, password);
    145                 if (status != STORAGE_NO_SUCH_USER &&
    146                         status != STORAGE_OK)
     164                if (status != STORAGE_NO_SUCH_USER && status != STORAGE_OK)
    147165                        ret = status;
    148166        }
     
    150168        return ret;
    151169}
     170
     171#if 0
     172Not using this yet. Test thoroughly before adding UI hooks to this function.
    152173
    153174storage_status_t storage_rename (const char *onick, const char *nnick, const char *password)
     
    189210        return STORAGE_OK;
    190211}
     212#endif
Note: See TracChangeset for help on using the changeset viewer.