Login
User Name:

Password:



Register
Forgot your password?
Vote for Us!
Couple bugs
Dec 12, 2017, 5:42 pm
By Remcon
Bug in disarm( )
Nov 12, 2017, 6:54 pm
By GatewaySysop
Bug in will_fall( )
Oct 23, 2017, 1:35 am
By GatewaySysop
Bug in do_zap( ), do_brandish( )
Oct 18, 2017, 1:52 pm
By GatewaySysop
Bug in get_exp_worth( )
Oct 10, 2017, 1:26 am
By GatewaySysop
LOP 1.45
Author: Remcon
Submitted by: Remcon
LOP Heroes Edition
Author: Vladaar
Submitted by: Vladaar
Heroes sound extras
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.3
Author: Vladaar
Submitted by: Vladaar
Memwatch
Author: Johan Lindh
Submitted by: Vladaar
Users Online
CommonCrawl, DotBot, Yahoo!

Members: 0
Guests: 11
Stats
Files
Topics
Posts
Members
Newest Member
477
3,705
19,232
608
LAntorcha
Today's Birthdays
There are no member birthdays today.
Related Links
» SmaugMuds.org » Bugfix Lists » SWFOTE FUSS Bugfix List » [Bug] More insecure name/rena...
Forum Rules | Mark all | Recent Posts

[Bug] More insecure name/rename/filename handling
< Newer Topic :: Older Topic >

Pages:<< prev 1 next >>
Post is unread #1 Sep 30, 2006, 6:40 pm
Go to the top of the page
Go to the bottom of the page

Samson
Black Hand
GroupAdministrators
Posts3,639
JoinedJan 1, 2002

Bug: More insecure name/rename/filename handling
Danger: High - Data corruption. File corruption.
Found by: Keberus
Fixed by: Keberus

---

space.c, do_setstarsystem

Locate:
   if( !str_cmp( arg2, "name" ) )
   {
      STRFREE( starsystem->name );
      starsystem->name = STRALLOC( argument );
      send_to_char( "Done.\r\n", ch );
      save_starsystem( starsystem );
      return;
   }


Change to:
   if( !str_cmp( arg2, "name" ) )
   {
      SPACE_DATA *tstarsystem = NULL;

      if( !argument || argument[0] == '\0' )
      {
         send_to_char( "You can't name a starsystem nothing.\r\n", ch );
         return;
      }
      if( ( tstarsystem = starsystem_from_name( argument ) ) != NULL )
      {
         send_to_char( "There is already another starsystem with that name.\r\n", ch );
         return;
      }
      STRFREE( starsystem->name );
      starsystem->name = STRALLOC( argument );
      send_to_char( "Done.\r\n", ch );
      save_starsystem( starsystem );
      return;
   }


space.c, do_setship

Locate:
   if( !str_cmp( arg2, "name" ) )
   {
      STRFREE( ship->name );
      ship->name = STRALLOC( argument );
      send_to_char( "Done.\r\n", ch );
      save_ship( ship );
      return;
   }

   if( !str_cmp( arg2, "filename" ) )
   {
      DISPOSE( ship->filename );
      ship->filename = str_dup( argument );
      send_to_char( "Done.\r\n", ch );
      save_ship( ship );
      write_ship_list(  );
      return;
   }


Change to:
   if( !str_cmp( arg2, "name" ) )
   {
      SHIP_DATA *uship = NULL;
      if( !argument || argument[0] == '\0' )
      {
         send_to_char( "You can't name a ship nothing.\r\n", ch );
         return;
      }
      if( ( uship = get_ship( argument ) ) != NULL  )
      {
         send_to_char( "There is already another ship with that name.\r\n", ch );
         return;
      }
      STRFREE( ship->name );
      ship->name = STRALLOC( argument );
      send_to_char( "Done.\r\n", ch );
      save_ship( ship );
      return;
   }

   if( !str_cmp( arg2, "filename" ) )
   {
      char filename[256];

      if( !is_valid_filename( ch, SHIP_DIR, argument ) )
         return;

      snprintf( filename, sizeof( filename ), "%s%s", SHIP_DIR, ship->filename );
      if( !remove( filename ) )
         send_to_char( "Old ship file deleted.\r\n", ch );

      DISPOSE( ship->filename );
      ship->filename = str_dup( argument );
      send_to_char( "Done.\r\n", ch );
      save_ship( ship );
      write_ship_list(  );
      return;
   }


The same issues as the previous set of fixes involving names and filenames. The handling of these things would allow for accidental overwriting of other data if the new name being picked was the same as another existing ship. And an invalid filename could have allowed for accidental access to sensative filesystem data.
       
Pages:<< prev 1 next >>