MOO-cows Mailing List Archive
Re: Means of gathering data
Gustavo Glusman wrote:
> Michael Moore wrote:
> >Here is a dump of the Generic Tape Recorder I wrote for logging interviews
> >on my MOO:
> >@chmod #1875:start rx
> >@program #1875:start
> >if (player.wizard)
> > if (this.on)
> > player:tell_with_subs("%T %<is> already recording.");
> > else
> > this.on = 1;
> > $you:say_action(this.start_msg);
> > endif
> > return E_PERM;
> Please note that this verb, and many others in this dump, are insecure.
> They are +x and check whether the 'player' is a wizard - not a good
Please explain to me the nature of the insecurity. To me, it seems fine--
'player' is the object number of the player who initiated the task
that resulted in this code being run. If that player's .wizard = 0 then
they will get E_PERM.
Is there some wiz-owned core code I don't know about that changes 'player'
to a wizard then executes other verbs with impunity? I would point to _that_
code as being a security leak.
I wanted the code to be +x so wizards could write code of their own that
could call these verbs, and I checked .wizard because I wanted these things
to be wiz-only, period.
If I'm stupidly missing something blatantly obvious, please tell me.
Or did you just mean the code is lacking in self-confidence? ;)
Subject Index |