Re: MOO trojan horse (was Re: more questions)

• Date: Mon, 24 Feb 1997 14:36:19 PST
• From:
  Richard Godard <janus@cam.org>
• Content-Type: text/plain; charset="us-ascii"
• In-Reply-To: <3.0.1.32.19970224111757.007bb790@pop.kaiwan.com>
• References: <9702241053.AA04118@tidtest.total.fr>

At 13:17 -0600 2/24/97, Brack wrote:
>> A more robust approach would be:
>>
>> if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))
>> [...]
>
>Thanks. A related question : how would you implement a similar check for
>a verb that can be called both from the command level and deeper in the
>stack ? Is that what caller is for ? I'm still wondering about what that's
>for.
>
>instead of caller_perms(), try:
>valid(caller_perms()) ? caller_perms() | player
>since caller_perms() is #-1 if it's called from the command line.

Since it's #-1 the test should be: (caller_perms() == #-1) ? player |
caller_perms()

Of course to be really rigourous it would need something like this

@verb $perm_utils:secure_call_or_command tnt rxd
@program $perm_utils:secure_call_or_command
{perms, what, ?who=player} = args;
if (valid(perms))
  return $petm_utils:controls(perms, what);
  "That's a verb call.";
elseif (length(c = callers()) == 1 && c[1][1] == #-1)
  return $petm_utils:controls(who, what);
  "That's a command.";
else
  return 0;
  "That's not normal => that's not secure.";
endif
.

Then your test would be:

if (!$perm_utils:secure_call_or_command(caller_perms(), this))
  return callers() ? raise(E_PERM) | player:notify("Sorry you can't do that.");
else
 /* your code here */
endif

Just my $0.02

Richard

• MOO trojan horse (was Re: more questions)
• From: Michel Lavondes <lavondes@tidtest.total.fr>
• Re: MOO trojan horse (was Re: more questions)
• From: Brack <slayer@kaiwan.com>

• Prev: Re: MOO trojan horse (was Re: more questions)
• Next: more questions
• Index: MOO-cows
• Thread: MOO-cows