MOO-cows Mailing List Archive


[SECURITY] the basics? (was Re: force_input() and $do_command())

The computer is your friend.

Juste a side note (risking to ridiculize myself saying the obvious) I will
deliver a piece of infrared classified (can that really be called
classified?) data:

When you have a -x command, and that you expect the user of the command to
have it defined on one of his/her ancestors, a simple check like:

if (player != this)

NEVER HURT... the lack it (as Gustavo showed it) can result in a big mess...

Also in a +x verb not called by the server directly, you should rely on the
caller_perms() for security not the value of player. (And don't
set_task_perms(player) in such verbs; you know who you are :-) :-)

Some food for thought: it's not because caller_perms() are not valid that
it's safe to set_task_perms(player). (Those who laugh hand have not fixed
their $root_class:huh lose 1 clone :)

Remember... trust no one ($no_one?), keep your laser handy.

The computer is your friend.

Follow-Ups: References:

Home | Subject Index | Thread Index