[SECURITY] the basics? (was Re: force_input() and $do_command())

• Date: Sun, 7 Jul 1996 02:41:44 PDT
• From:
  Richard Godard <janus@cam.org>
• Content-Type: text/plain; charset="us-ascii"
• In-Reply-to: <v03007605ae0519d93e1c@[132.76.55.130]>
• References: <9607062313.AA04370@alfred.ccs.carleton.ca>

The computer is your friend.

Juste a side note (risking to ridiculize myself saying the obvious) I will
deliver a piece of infrared classified (can that really be called
classified?) data:

When you have a -x command, and that you expect the user of the command to
have it defined on one of his/her ancestors, a simple check like:

if (player != this)
   player:notify("Sorry.");
   return;
endif

NEVER HURT... the lack it (as Gustavo showed it) can result in a big mess...

Also in a +x verb not called by the server directly, you should rely on the
caller_perms() for security not the value of player. (And don't
set_task_perms(player) in such verbs; you know who you are :-) :-)

Some food for thought: it's not because caller_perms() are not valid that
it's safe to set_task_perms(player). (Those who laugh hand have not fixed
their $root_class:huh lose 1 clone :)

Remember... trust no one ($no_one?), keep your laser handy.

The computer is your friend.

• [SECURITY] the basics? (was Re: force_input() and $do_command())
• From: Judy Anderson <yduj@cs.stanford.edu>

• Re: force_input() and $do_command()
• From: aq299@freenet.carleton.ca (Jefferson Dubrule)
• [SECURITY] Re: force_input() and $do_command()
• From: Gustavo Glusman <bmgustav@bioinformatics.weizmann.ac.il>

• Prev: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Next: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Index: MOO-cows
• Thread: MOO-cows