MOO-cows Mailing List Archive


Re: [SERVER, SECURITY] bug in set_task_perms() ?

> In all of my verbs, to test top level-ness, I just make the quick and 
> tick-friendly check 'if (valid(caller))'.  A wiz can fool caller_perms(), 
> but can't fool the variable 'caller'.

Actually, any programmer can fool the variable caller.  Check it out:

;eval("return caller;")
=> {1, #-1}

So they could just call your verb with eval().



Home | Subject Index | Thread Index