MOO-cows Mailing List Archive

[Prev][Next][Index][Thread]

Minor security bug in $note_editor




The note editor permitted any user to change its description, aliases,
name, etc.  The problem occurred because the "save" command would set
task perms to player, which one would think would prevent this from
occurring, but having done that, would then call a :set_<propertyname>
verb if available.  #1:set_description permits calls by caller==this
(to allow for pass()), but of course, $note_editor *was* caller.

The fix is to install $note_editor:set_*:

@program $note_editor:set_
if ($perm_utils:controls(caller_perms(), this))
  return pass(@args);
else 
  return E_PERM;
endif
.

Note no reference to "caller==this" -- it's on a leaf node so it won't
ever be passed to.

      Judy Anderson yclept yduJ          'yduJ' rhymes with 'fudge'
 yduJ@cs.stanford.edu (personal mail)   yduJ@harlequin.com (work-related)
	Join the League for Programming Freedom, lpf@uunet.uu.net



Home | Subject Index | Thread Index