Channel Admins are not allowed to set Channel Owner status!

This was reported back in April 2021, thanks Sarah!

    Subject: NGIRCD bug report
    Date: April 28 2021, 14:30:08 MESZ
    To: alex@barton.de

    Hello,

    I am writing to you to report a bug in ngircd.
    In any give channel, if an user is with mode +a (admin), he/she can
    sets mode +/-q(owner) to any other user. This is not inline with the
    documentation.

    I've looked into the code irc-mode.c, apparently an if block is
    missing. Below are the code snippets that I believe fixes the bug.

This patch is what Sarah sent in. Thanks a lot!

diff --git a/src/ngircd/irc-mode.c b/src/ngircd/irc-mode.c
index 0ea046e561c9196f646006602f0a14362149f42f..b505aee5e2c8af6a9d9fe3d61675403a55cc948c 100644 (file)
--- a/src/ngircd/irc-mode.c
+++ b/src/ngircd/irc-mode.c
@@ -740,6 +740,13 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
                        break;
                /* --- Channel user modes --- */
                case 'q': /* Owner */
+                       if(!is_oper && !is_machine && !is_owner) {
+                               connected = IRC_WriteErrClient(Origin,
+                                       ERR_CHANOPPRIVTOOLOW_MSG,
+                                       Client_ID(Origin),
+                                       Channel_Name(Channel));
+                               goto chan_exit;
+                       }
                case 'a': /* Channel admin */
                        if(!is_oper && !is_machine && !is_owner && !is_admin) {
                                connected = IRC_WriteErrClient(Origin,