MOO-cows Mailing List Archive

[Prev][Next][Index][Thread]

Re: Means of gathering data



Gustavo Glusman wrote:
> 
> Michael Moore wrote:
> >Here is a dump of the Generic Tape Recorder I wrote for logging interviews
> >on my MOO:
> 
> (snip)
> 
> >@chmod #1875:start rx
> >@program #1875:start
> >if (player.wizard)
> >  if (this.on)
> >    player:tell_with_subs("%T %<is> already recording.");
> >  else
> >    this.on = 1;
> >    $you:say_action(this.start_msg);
> >  endif
> >else
> >  return E_PERM;
> >endif
> >.
> 
> Please note that this verb, and many others in this dump, are insecure.
> They are +x and check whether the 'player' is a wizard - not a good
> combination!

Please explain to me the nature of the insecurity.  To me, it seems fine--
'player' is the object number of the player who initiated the task
that resulted in this code being run.  If that player's .wizard = 0 then
they will get E_PERM.

Is there some wiz-owned core code I don't know about that changes 'player'
to a wizard then executes other verbs with impunity?  I would point to _that_
code as being a security leak.

I wanted the code to be +x so wizards could write code of their own that
could call these verbs, and I checked .wizard because I wanted these things
to be wiz-only, period.

If I'm stupidly missing something blatantly obvious, please tell me.

Or did you just mean the code is lacking in self-confidence?  ;)


Follow-Ups: References:

Home | Subject Index | Thread Index