MOO-cows Mailing List Archive

Minor security bug in $note_editor

Date: Thu, 9 May 1996 11:27:54 PDT
From:
Judy Anderson <yduj@cs.stanford.edu>
Posted-Date: Thu, 9 May 1996 11:27:54 -0700 (PDT)


The note editor permitted any user to change its description, aliases,
name, etc.  The problem occurred because the "save" command would set
task perms to player, which one would think would prevent this from
occurring, but having done that, would then call a :set_<propertyname>
verb if available.  #1:set_description permits calls by caller==this
(to allow for pass()), but of course, $note_editor *was* caller.

The fix is to install $note_editor:set_*:

@program $note_editor:set_
if ($perm_utils:controls(caller_perms(), this))
  return pass(@args);
else 
  return E_PERM;
endif
.

Note no reference to "caller==this" -- it's on a leaf node so it won't
ever be passed to.

      Judy Anderson yclept yduJ          'yduJ' rhymes with 'fudge'
 yduJ@cs.stanford.edu (personal mail)   yduJ@harlequin.com (work-related)
	Join the League for Programming Freedom, lpf@uunet.uu.net

Prev: Re: MI
Next: MOO programming tutorial
Index: MOO-cows
Thread: MOO-cows

Home | Subject Index | Thread Index