Completely reviewed all uses of irc->password, irc_setpass() and

USTATUS_IDENTIFIED after another account overwriting vulnerability was
found by Tero Marttila.

1 files changed, 3 insertions, 10 deletions

diff --git a/storage_text.c b/storage_text.c
index 78f7e3bd..8ce4edcf 100644
--- a/storage_text.c
+++ b/storage_text.c
@@ -43,7 +43,7 @@ static void text_init (void)
 	   it's read only! */
 }
 
-static storage_status_t text_load ( const char *my_nick, const char* password, irc_t *irc )
+static storage_status_t text_load( irc_t *irc, const char* password )
 {
 	char s[512];
 	char *line;
@@ -53,10 +53,7 @@ static storage_status_t text_load ( const char *my_nick, const char* password, i
 	user_t *ru = user_find( irc, ROOT_NICK );
 	account_t *acc, *acc_lookup[9];
 	
-	if( irc->status & USTATUS_IDENTIFIED )
-		return( 1 );
-	
-	g_snprintf( s, 511, "%s%s%s", global.conf->configdir, my_nick, ".accounts" );
+	g_snprintf( s, 511, "%s%s%s", global.conf->configdir, irc->nick, ".accounts" );
    	fp = fopen( s, "r" );
    	if( !fp ) return STORAGE_NO_SUCH_USER;
 	
@@ -68,10 +65,6 @@ static storage_status_t text_load ( const char *my_nick, const char* password, i
 		return STORAGE_INVALID_PASSWORD;
 	}
 	
-	/* Do this now. If the user runs with AuthMode = Registered, the
-	   account command will not work otherwise. */
-	irc->status |= USTATUS_IDENTIFIED;
-	
 	while( fscanf( fp, "%511[^\n]s", s ) > 0 )
 	{
 		fgetc( fp );
@@ -100,7 +93,7 @@ static storage_status_t text_load ( const char *my_nick, const char* password, i
 			acc_lookup[8] = acc;
 	}
 	
-	g_snprintf( s, 511, "%s%s%s", global.conf->configdir, my_nick, ".nicks" );
+	g_snprintf( s, 511, "%s%s%s", global.conf->configdir, irc->nick, ".nicks" );
 	fp = fopen( s, "r" );
 	if( !fp ) return STORAGE_NO_SUCH_USER;
 	while( fscanf( fp, "%s %d %s", s, &proto, nick ) > 0 )