MOO-cows Mailing List Archive
Re: Means of gathering data
At 12:28 PM 6/14/96 PDT, Michael Moore wrote:
>Gustavo Glusman wrote:
>> Michael Moore wrote:
>> >Here is a dump of the Generic Tape Recorder I wrote for logging interviews
>> >on my MOO:
>> >@chmod #1875:start rx
>> >@program #1875:start
>> >if (player.wizard)
>> > if (this.on)
>> > player:tell_with_subs("%T %<is> already recording.");
>> > else
>> > this.on = 1;
>> > $you:say_action(this.start_msg);
>> > endif
>> > return E_PERM;
>> Please note that this verb, and many others in this dump, are insecure.
>> They are +x and check whether the 'player' is a wizard - not a good
>Please explain to me the nature of the insecurity. To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run. If that player's .wizard = 0 then
>they will get E_PERM.
since your verb is +x, i can do this, and just getting a wizard to talk to
me will bypass your security. here's a standard check:
if ((callers() ? caller_perms() | player).wizard) ...
Michael Reece firstname.lastname@example.org PGP Public Key
Deprogrammer http://www.butterfly.net/sick/ available on
HuskyLabs, Inc. http://www.butterfly.net/husky/ request.
Subject Index |