MOO-cows Mailing List Archive


Minor security bug in $note_editor

The note editor permitted any user to change its description, aliases,
name, etc.  The problem occurred because the "save" command would set
task perms to player, which one would think would prevent this from
occurring, but having done that, would then call a :set_<propertyname>
verb if available.  #1:set_description permits calls by caller==this
(to allow for pass()), but of course, $note_editor *was* caller.

The fix is to install $note_editor:set_*:

@program $note_editor:set_
if ($perm_utils:controls(caller_perms(), this))
  return pass(@args);
  return E_PERM;

Note no reference to "caller==this" -- it's on a leaf node so it won't
ever be passed to.

      Judy Anderson yclept yduJ          'yduJ' rhymes with 'fudge' (personal mail) (work-related)
	Join the League for Programming Freedom,

Home | Subject Index | Thread Index