Some idiots think it is fun to abuse unsafe actions to make people do bad things, here's a thread on how to make your client actions safe.

For powwow (and on the principle what unsafe-actions do), here is the explanation from the powwow helpfile: (this version here is modified).


When you define an #action that automatically sends something back to the MUD you are connected to, you must be VERY careful since you may allow other players to force you to execute commands.
Let's explain better: Suppose you define the following #action:

 #action >+autogroup ^&1 starts following you.={#print;group $1}

Even though this may look harmless, such an action is potentially lethal, for the following reason:
If you receive a text from the MUD containing something like

  Cauldron ;remove all;drop all;kill dragon starts following you.
  (for example it may be an emote or a narrate)

powwow will realize that the line matches with the action you defined (remember that &n can match text of every length, even if containing spaces or ";") and will execute this:

 {#print;group Cauldron ;remove all;drop all;kill dragon}

The consequences of such a command can be easily imagined... There are two strategies to avoid such embarassing situations:
1) Use #send and calculator. In fact this is NOT dangerous:

 #action >+autogroup ^&1 starts following you.= {#print;#send 
    ("group "+$(1))}

In the worst case you will send some semicolon-separated commands to the MUD, but MUME does not accept multiple commands as clients do.

2) Try to use $n instead of &n, so that semicolons and spaces are skipped.

 #action >+autogroup ^$1 starts following you.= {#print;group $1}

Note the following is also NOT dangerous:

  #action >+autogroup ^&1 starts following you.=group $1

since if someone tries to force you, as shown above, it will not work, because #action allows only ONE command to follow the pattern and you did not place braces around "group $1", so only the first command (in this case "group <name>") will be executed.

In any case remember the best strategy is: check what you are doing and if you are not sure a command is safe, better do not use it.

Last words: YOU are responsible for your client and your actions. You will not get reimbursement for losses due to misconfigured clients, no matter if some idiot triggered something on purpose or not!


This page was automatically generated on Sun Feb 26 07:39:14 2017