MOO-cows Mailing List Archive


Re: MOO trojan horse (was Re: more questions)

At 13:17 -0600 2/24/97, Brack wrote:
>> A more robust approach would be:
>> if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))
>> [...]
>Thanks. A related question : how would you implement a similar check for
>a verb that can be called both from the command level and deeper in the
>stack ? Is that what caller is for ? I'm still wondering about what that's
>instead of caller_perms(), try:
>valid(caller_perms()) ? caller_perms() | player
>since caller_perms() is #-1 if it's called from the command line.

Since it's #-1 the test should be: (caller_perms() == #-1) ? player |

Of course to be really rigourous it would need something like this

@verb $perm_utils:secure_call_or_command tnt rxd
@program $perm_utils:secure_call_or_command
{perms, what, ?who=player} = args;
if (valid(perms))
  return $petm_utils:controls(perms, what);
  "That's a verb call.";
elseif (length(c = callers()) == 1 && c[1][1] == #-1)
  return $petm_utils:controls(who, what);
  "That's a command.";
  return 0;
  "That's not normal => that's not secure.";

Then your test would be:

if (!$perm_utils:secure_call_or_command(caller_perms(), this))
  return callers() ? raise(E_PERM) | player:notify("Sorry you can't do that.");
 /* your code here */

Just my $0.02



Home | Subject Index | Thread Index