MOO-cows Mailing List Archive

[Prev][Next][Index][Thread]

Re: [SECURITY] the basics? (was Re: force_input() and $do_command())



At 6:28 -0800 7/7/96, Eric Mercer wrote:
>At 02:41 AM 07/07/96 PDT, Richard Godard wrote:
>>When you have a -x command, and that you expect the user of the command to
>>have it defined on one of his/her ancestors, a simple check like:
>>
>>if (player != this)
>>   player:notify("Sorry.");
>>   return;
>>endif
>>
>>
>>NEVER HURT... the lack it (as Gustavo showed it) can result in a big mess...
>
>Shark frenzy!  This one will hurt when your fellow wizard, who is not so
>bright when it comes to security, sets the verb +x and suddenly "player" is
>vulnerable.  However, using:

Well as stated on the first line: WHEN YOU HAVE A -X COMMAND/VERB...

Then if fellow wizard is clueless enough to do that with +x commands...
then maybe the clueless wizard might want to read your paper about MOO
security? (Eric, could you bring light to the masses and remind us of the
URL? Thanks.)

>if (caller!=this)
>  return player:notify(E_PERM);
>endif
>
>will work if the verb is +x or -x so you might as well use that instead.
>The consequences of security holes in verbs on user characters is usually
>sufficiently nasty that it's best to use every opportunity to guard.

Of course, of course... But I'm tempted to say:
Shark frenzy!  This one will hurt when your fellow wizard, who is not so
bright when it comes to security, sets the verb +x and suddenly the
set_task_perms(player) that is a few line bellow can be fooled... (because
if it's +x && (caller == this) && (player != caller) your
fellow-not-so-bright-wiz will get a bad suprise is the verb is defined on a
public player class and that this == name_your_favortite_chacker)

We could argue at length about using set_task_perms(this) rather than
set_task_perms(player), ...

But I will just quote my first mail:
>Also in a +x verb not called by the server directly, you should rely on the
>caller_perms() for security not the value of player.

I would add that if the verb is +x and intended to be called by both the
server (as a command) and other verbs then it's up to you to make a proper
security check that will make the difference between a server call and a
in-db verb call...

Paranoidly yours,

Janus (two faces, one always looking in the back)







Follow-Ups: References:

Home | Subject Index | Thread Index