Login
User Name:

Password:



Register
Forgot your password?
Vote for Us!
Couple bugs
Dec 12, 2017, 5:42 pm
By Remcon
Bug in disarm( )
Nov 12, 2017, 6:54 pm
By GatewaySysop
Bug in will_fall( )
Oct 23, 2017, 1:35 am
By GatewaySysop
Bug in do_zap( ), do_brandish( )
Oct 18, 2017, 1:52 pm
By GatewaySysop
Bug in get_exp_worth( )
Oct 10, 2017, 1:26 am
By GatewaySysop
LOP 1.45
Author: Remcon
Submitted by: Remcon
LOP Heroes Edition
Author: Vladaar
Submitted by: Vladaar
Heroes sound extras
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.3
Author: Vladaar
Submitted by: Vladaar
Memwatch
Author: Johan Lindh
Submitted by: Vladaar
Users Online
CommonCrawl, Yandex, DotBot

Members: 0
Guests: 8
Stats
Files
Topics
Posts
Members
Newest Member
477
3,705
19,232
608
LAntorcha
Today's Birthdays
There are no member birthdays today.
Related Links
» SmaugMuds.org » Bugfix Lists » SWFOTE FUSS Bugfix List » [Bug] hset command does not v...
Forum Rules | Mark all | Recent Posts

[Bug] hset command does not validate the level field
< Newer Topic :: Older Topic >

Pages:<< prev 1 next >>
Post is unread #1 Sep 10, 2006, 11:53 am
Go to the top of the page
Go to the bottom of the page

Samson
Black Hand
GroupAdministrators
Posts3,639
JoinedJan 1, 2002

Bug: hset command does not validate the level field
Danger: Low - Will allow immortals with access to the hset command to set any level on a help they wish.
Found by: Kiasyn
Fixed by: Kiasyn

---

act_info.c, do_hset

Locate:
   if( !str_cmp( arg1, "level" ) )
   {
      pHelp->level = atoi( arg2 );
      send_to_char( "Done.\r\n", ch );
      return;
   }


Change to:
   if( !str_cmp( arg1, "level" ) )
   {
      int lev;

      if( !is_number(arg2) )
      {
         send_to_char( "Level field must be numeric.\r\n", ch );
         return;
      }

      lev = atoi(arg2);
      if( lev < -1 || lev > get_trust(ch) )
      {
         send_to_char( "You can't set the level to that.\r\n", ch );
         return;
      }
      pHelp->level = lev;
      send_to_char( "Done.\r\n", ch );
      return;
   }


The hset command was just a bit too trusting of the input it received. No checks were made to see if the level supplied fell within an accepted range, and did not even verify if the input was numeric.
       
Pages:<< prev 1 next >>