From 01f82356acfc1a0f3e45835f8f0693b902969137 Mon Sep 17 00:00:00 2001
From: K Clair <kclair@riseup.net>
Date: Fri, 27 Apr 2012 18:35:34 +0000
Subject: [PATCH] patch for arc_manage exploity

---
 sympa-6.0.6/wwsympa/wwsympa.fcgi.in | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sympa-6.0.6/wwsympa/wwsympa.fcgi.in b/sympa-6.0.6/wwsympa/wwsympa.fcgi.in
index 023911b..c1d0795 100644
--- a/sympa-6.0.6/wwsympa/wwsympa.fcgi.in
+++ b/sympa-6.0.6/wwsympa/wwsympa.fcgi.in
@@ -15998,6 +15998,10 @@ sub do_viewlogs {
 
 
 sub do_arc_manage {
+    unless (defined &check_authz('do_arc', 'web_archive.access')) {
+    	&report::reject_report_web('auth','access denied',{},$param->{'action'},$list);
+    	return undef;
+    }
     &wwslog('info', "do_arc_manage ($in{'list'})");
 
     my $search_base = $wwsconf->{'arc_path'}.'/'.$list->get_list_id();
@@ -16014,6 +16018,10 @@ sub do_arc_manage {
 
 ## create a zip file with archives from (list,month)
 sub do_arc_download {
+    unless (defined &check_authz('do_arc', 'web_archive.access')) {
+        &report::reject_report_web('auth','access denied',{},$param->{'action'},$list);
+        return undef;
+    }
     
     &wwslog('info', "do_arc_download ($in{'list'})");
     
@@ -16112,6 +16120,10 @@ sub do_arc_download {
 }
 
 sub do_arc_delete {
+    unless ($param->{'is_owner'}) {
+      &report::reject_report_web('auth','action_owner',{},$param->{'action'},$list);
+      return undef;
+    }
   
     my @abs_dirs;
     
-- 
GitLab