summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJesusalva Jesusalva <jesusalva@themanaworld.org>2022-12-15 12:11:37 +0000
committerJesusalva Jesusalva <jesusalva@themanaworld.org>2022-12-15 12:11:37 +0000
commit00318e4c05a399bcfc5bbca5453a302176cd52fa (patch)
treee7884d8475c363bc4c2ba09a2beefe63cc650669
parenta01f9d8865fb62e993864257ba28dfab21435ae7 (diff)
parent33d50a92b8be36e194403027e1d2193a5b6a28e2 (diff)
downloadmanamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.gz
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.bz2
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.xz
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.zip
Merge branch 'jak1/priv_esc_bugfix' into 'master'
fixed minor accesslevel vuln. reported by Hello=). See merge request legacy/manamarket!15
-rwxr-xr-xmain.py3
1 files changed, 3 insertions, 0 deletions
diff --git a/main.py b/main.py
index 2f43894..cd4397e 100755
--- a/main.py
+++ b/main.py
@@ -422,6 +422,9 @@ def process_whisper(nick, msg, mapserv):
return
if broken_string[1].isdigit() and broken_string[2].isdigit():
+ if int(broken_string[1]) > user.get("accesslevel"):
+ mapserv.sendall(whisper(nick, "You can't give someone a higher accesslevel than your own."))
+ return
al = int(broken_string[1])
stalls = int(broken_string[2])
player_name = " ".join(broken_string[3:])