Re: more questions

• Date: Sat, 22 Feb 1997 16:51:17 PST
• From:
  "Mike Moore" <mike@datasys.net>
• Cc: "Moo Cows" <moo-cows@parc.xerox.com>
• Content-Transfer-Encoding: 7bit
• Content-Type: text/plain; charset=ISO-8859-1

> In message <330E48B0.70D7@itchen.hants.gov.uk>, Tim MacLachlan writes:
> > 
> > 1. how do i create an object that cannot be moved by anyone other than
> > me? (hope you dont mind me including your question, Stephen)
> 
> @verb foo:moveto this none this
> @program foo:moveto
> if (player == this.owner)
>   pass(@args);
> else
>   player:tell("You fail to move ", this.name, " to ", args[1].name, ".");
> endif

This is actually a small security leak.  The reason is, I could reprogram
my :tell verb (a commonly called one) to try to move an object with the
above code installed to wherever.  When that object's owner pages me,
says something in a room I'm in, or does one of a zillion other things
that could result in my :tell being called, then 'player' in that verb call
will pass that permissions check.

A more robust approach would be:

if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))

This one checks to see that the owner of the verb calling this:moveto()
has permissions for this object (i.e. the owner or a wizard) and that the
task that resulted in the verbcall was started by this object's owner.

That way, my malicious :tell verb would fail to move the object.

• MOO trojan horse (was Re: more questions)
• From: Michel Lavondes <lavondes@tidtest.total.fr>
• Re: more questions
• From: Brack <slayer@kaiwan.com>

• Prev: Re: more questions
• Next: Re: more questions
• Index: MOO-cows
• Thread: MOO-cows