MOO-cows Mailing List Archive
Minor security bug in $note_editor
Date: Thu, 9 May 1996 11:27:54 PDT
From: Judy Anderson <firstname.lastname@example.org>
Posted-Date: Thu, 9 May 1996 11:27:54 -0700 (PDT)
The note editor permitted any user to change its description, aliases,
name, etc. The problem occurred because the "save" command would set
task perms to player, which one would think would prevent this from
occurring, but having done that, would then call a :set_<propertyname>
verb if available. #1:set_description permits calls by caller==this
(to allow for pass()), but of course, $note_editor *was* caller.
The fix is to install $note_editor:set_*:
if ($perm_utils:controls(caller_perms(), this))
Note no reference to "caller==this" -- it's on a leaf node so it won't
ever be passed to.
Judy Anderson yclept yduJ 'yduJ' rhymes with 'fudge'
yduJ@cs.stanford.edu (personal mail) yduJ@harlequin.com (work-related)
Join the League for Programming Freedom, email@example.com
Subject Index |