Re: [SECURITY] the basics? (was Re: force_input() and $do_command())

• Date: Sun, 7 Jul 1996 07:28:05 PDT
• From:
  Eric Mercer <mercere@netcom.ca>
• Content-Type: text/plain; charset="us-ascii"

At 02:41 AM 07/07/96 PDT, Richard Godard wrote:
>When you have a -x command, and that you expect the user of the command to
>have it defined on one of his/her ancestors, a simple check like:
>
>if (player != this)
>   player:notify("Sorry.");
>   return;
>endif
>
>
>NEVER HURT... the lack it (as Gustavo showed it) can result in a big mess...

Shark frenzy!  This one will hurt when your fellow wizard, who is not so
bright when it comes to security, sets the verb +x and suddenly "player" is
vulnerable.  However, using:

if (caller!=this)
  return player:notify(E_PERM);
endif

will work if the verb is +x or -x so you might as well use that instead.
The consequences of security holes in verbs on user characters is usually
sufficiently nasty that it's best to use every opportunity to guard.

--
Eric (EricM @ BioMOO and Diversity University)

• Re: [SECURITY] the basics? (was Re: force_input() and $do_command())
• From: Richard Godard <janus@cam.org>

• Prev: Re: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Next: Re: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Index: MOO-cows
• Thread: MOO-cows