MOO-cows Mailing List Archive
[Prev][Next][Index][Thread]
Re: MOO trojan horse (was Re: more questions)
-
Date: Mon, 24 Feb 1997 11:17:57 PST
-
From: Brack <slayer@kaiwan.com>
-
Content-Type: text/plain; charset="us-ascii"
-
Illegal-Object: Syntax error in References: value found on alpha.xerox.com: References: <Yourmessage of"Sat, 22 Feb 1997 19:51:17 EST." <199702230046.TAA00296@mail.datasys.net> ^-illegal end of message identification
-
In-Reply-To: <9702241053.AA04118@tidtest.total.fr>
At 03:53 AM 2/24/97 PST, Michel Lavondes wrote:
>
>In message <199702230046.TAA00296@mail.datasys.net>, "Mike Moore" writes:
>> > [My try at an object only the owner can move]
>> > @verb foo:moveto this none this
>> > @program foo:moveto
>> > if (player == this.owner)
>> > pass(@args);
>> > [...]
>>
>> This is actually a small security leak. The reason is, I could reprogram
>> my :tell verb (a commonly called one) to try to move an object with the
>> above code installed to wherever. When that object's owner pages me,
>> [...]
>> A more robust approach would be:
>>
>> if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))
>> [...]
>
>Thanks. A related question : how would you implement a similar check for
>a verb that can be called both from the command level and deeper in the
>stack ? Is that what caller is for ? I'm still wondering about what that's
>for.
>
instead of caller_perms(), try:
valid(caller_perms()) ? caller_perms() | player
since caller_perms() is #-1 if it's called from the command line.
>How long do you think until we get MOO security consultants and tiger
>teams on the job market ? :-(
>
Didn't know someone would actually want to pay a living wage for that kind
of thing. Of course if anyone wants to, I'm game...
Follow-Ups:
References:
Home |
Subject Index |
Thread Index