diff -Naur -x '*.orig' sympa-6.2.16/src/cgi/wwsympa.fcgi.in sympa-6.2.16-CVE-2018-1000550/src/cgi/wwsympa.fcgi.in --- sympa-6.2.16/src/cgi/wwsympa.fcgi.in 2016-06-10 17:59:55.000000000 +0200 +++ sympa-6.2.16-CVE-2018-1000550/src/cgi/wwsympa.fcgi.in 2019-02-20 22:34:08.732042717 +0100 @@ -194,7 +194,6 @@ 'firstpasswd' => 'do_firstpasswd', 'requestpasswd' => 'do_requestpasswd', 'choosepasswd' => 'do_choosepasswd', - 'viewfile' => 'do_viewfile', 'set' => 'do_set', 'admin' => 'do_admin', 'add_request' => 'do_add_request', @@ -642,6 +641,7 @@ 'edit_list' => ['owner'], 'edit_list_request' => ['owner'], 'edit_template' => ['listmaster'], + 'editfile' => ['owner', 'listmaster'], 'editsubscriber' => ['owner', 'editor'], 'get_closed_lists' => ['listmaster'], 'get_inactive_lists' => ['listmaster'], @@ -669,6 +669,7 @@ 'restore_list' => ['listmaster'], 'review_family' => ['listmaster'], 'reviewbouncing' => ['owner', 'editor'], + 'savefile' => ['owner', 'listmaster'], 'search_user' => ['listmaster'], 'serveradmin' => ['listmaster'], 'set_dumpvars' => ['listmaster'], @@ -6582,9 +6583,10 @@ 'message.header', 'remind.tt2', 'invite.tt2', 'reject.tt2' ) { - next - unless ( - $list->may_edit($f, $param->{'user'}{'email'}) eq 'write'); + my $fa = ($f eq 'info') ? 'info.file' : $f; + my ($role, $right) = + $list->may_edit($fa, $param->{'user'}{'email'}); + next unless $right eq 'write'; if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) { $param->{'files'}{$f}{'complete'} = $language->gettext( @@ -9205,12 +9207,9 @@ my $filename_for_auth = $f; $filename_for_auth = 'info.file' if ($filename_for_auth eq 'info'); - next - unless ( - $list->may_edit( - $filename_for_auth, $param->{'user'}{'email'} - ) eq 'write' - ); + my ($role, $right) = $list->may_edit( + $filename_for_auth, $param->{'user'}{'email'}); + next unless $right eq 'write'; if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) { $param->{'files'}{$f}{'complete'} = $language->gettext( @@ -9380,10 +9379,21 @@ $param->{'subtitle'} = sprintf $param->{'subtitle'}, $in{'file'}; + unless ($in{'file'} and $Sympa::Tools::WWW::filenames{$in{'file'}}) { + Sympa::Report::reject_report_web('user', 'file_not_editable', + {'file' => $in{'file'}}, + $param->{'action'}); + wwslog('info', 'File %s not editable', $in{'file'}); + return undef; + } + if ($param->{'list'}) { - unless ($list->is_admin('owner', $param->{'user'}{'email'}) - or Sympa::is_listmaster($list, $param->{'user'}->{'email'})) { - Sympa::Report::reject_report_web('auth', 'action_owner', {}, + my $fa = ($in{'file'} eq 'info') ? 'info.file' : $in{'file'}; + my ($role, $right) = + $list->may_edit($fa, $param->{'user'}{'email'}); + unless ($right eq 'write') { + Sympa::Report::reject_report_web('auth', 'edit_right', + {'role' => $role, 'right' => $right}, $param->{'action'}, $list); wwslog('err', 'Not allowed'); web_db_log(