MOO-cows Mailing List Archive


Re: [SERVER, SECURITY] bug in set_task_perms() ?

Gustavo Glusman writes:
> The problem is that wizperms can set_task_perms() to an invalid object.
> Some verbs rely on testing whether valid(caller_perms()), as a general test
> for 'am I being called from command line, or from another verb?', just
> because this is cheaper than using callers(). But setting task perms to an
> invalid may fool this.

I claim that this valid(caller_perms()) test was always bogus; the proper test
is `caller_perms() == #-1' or (yes, more expensive but you shouldn't be doing
it in the expensive failure case very often) `callers() == {}'.



Home | Subject Index | Thread Index