MOO-cows Mailing List Archive


Re: [SECURITY] the basics? (was Re: force_input() and $do_command())

At 02:41 AM 07/07/96 PDT, Richard Godard wrote:
>When you have a -x command, and that you expect the user of the command to
>have it defined on one of his/her ancestors, a simple check like:
>if (player != this)
>   player:notify("Sorry.");
>   return;
>NEVER HURT... the lack it (as Gustavo showed it) can result in a big mess...

Shark frenzy!  This one will hurt when your fellow wizard, who is not so
bright when it comes to security, sets the verb +x and suddenly "player" is
vulnerable.  However, using:

if (caller!=this)
  return player:notify(E_PERM);

will work if the verb is +x or -x so you might as well use that instead.
The consequences of security holes in verbs on user characters is usually
sufficiently nasty that it's best to use every opportunity to guard.

Eric (EricM @ BioMOO and Diversity University)


Home | Subject Index | Thread Index