Safe client actions

Here we discussed clients, mappers, tunnels and their settings.
Locked
Nienor
Posts: 19
Joined: Sat Feb 23, 2008 9:57 pm

Safe client actions

Post by Nienor » Mon Feb 25, 2008 3:09 pm

Since we just got hit by yet another idiot who thought it was fun to abuse unsafe actions to make people do bad things, here's a thread on how to make your client actions safe.

For powwow, here is the explanation from the powwow helpfile
http://mume.pvv.org/Download/clients/po ... owhelp.txt.
-----------------------------------------------------------

SECURITY

When you define an #action that automatically sends something back to
the MUD you are connected to, you must be VERY careful since you may
allow other players to force you to execute commands.
Let's explain better: Suppose you define the following #action:

#action >+autogroup ^&1 starts following you.={#print;group $1}

Even though this may look harmless, such an action is potentially
lethal, for the following reason:
If you receive a text from the MUD containing something like

Cauldron ;remove all;drop all;kill dragon starts following you.
(for example it may be an emote, many MUDs allow it)

powwow will realize that the line matches with the action you defined
(remember that &n can match text of every length, even if containing
spaces or ; ) and will execute this:

{#print;group Cauldron ;remove all;drop all;kill dragon}

The consequences of such a command can be easily imagined...
There are two strategies to avoid such embarassing situations:
1) Use #send and calculator. In fact this is NOT dangerous:

#action >+autogroup ^&1 starts following you.=
{#print;#send ("group "+$(1))}

(in the worst case you will send some semicolon-separated commands
to the MUD, but I saw no MUDs accepting multiple commands as clients
do...):

2) Try to use $n instead of &n, so that semicolons and spaces
are skipped.

#action >+autogroup ^$1 starts following you.=
{#print;group $1}

WARNING:
versions older than 0.7a were bugged and they did NOT skip
semicolons (but they skipped spaces), so also using $n was
dangerous!

If you really need to use a &n, check you are not losing security,
and if you cannot write safe code, use calculator as in point 1).
Note that this is NOT dangerous too:

#action >+autogroup ^&1 starts following you.=group $1

since if someone tries to force you as explained above
it will not work, because #action allows only ONE command to follow
the pattern and you did not place braces around "group $1",
so only the first command (in this case "group <name>")
will be executed.

In every case, remember the best strategy is: check what you are doing,
and do not lose control. If you are not sure a command is safe, better
not to use it.
-----------------------------------------------------------

haunga
Posts: 20
Joined: Mon Feb 25, 2008 3:35 am

Re: Safe client actions

Post by haunga » Mon Feb 25, 2008 3:11 pm

Great :) Thank you for the effort Nienor.

Razoor
Posts: 77
Joined: Sun Feb 24, 2008 10:20 am

Re: Safe client actions

Post by Razoor » Mon Feb 25, 2008 7:01 pm

So what country was the account made from? :)

Xaviar
Posts: 6
Joined: Mon Feb 25, 2008 7:16 pm

Re: Safe client actions

Post by Xaviar » Mon Feb 25, 2008 7:18 pm

Yeah because it's impossible/difficult to spoof a country code or use a shell right?.....Now I know why Nienor was sending me ambiguous tells while she was sitting in rdell this morning while I was getting ready for work..talking about "what I've done" etc.

Lodis
Posts: 5
Joined: Sun Feb 24, 2008 2:59 pm

Re: Safe client actions

Post by Lodis » Tue Feb 26, 2008 1:38 am

That's a fine question Razoor. I would like to know that too. :) I deleted action reply on my jmc after what happened recently. Hehe.

ghalad
Posts: 20
Joined: Tue Mar 04, 2008 7:42 am
Location: United Kingdom

Re: Safe client actions

Post by ghalad » Sun Jun 08, 2008 10:52 am

Nienor wrote:
When you define an #action that automatically sends something back to
the MUD you are connected to, you must be VERY careful since you may
allow other players to force you to execute commands.
Let's explain better: Suppose you define the following #action:

-----------------------------------------------------------
I witnessed a result of this yesterday, My XP group were resting at Angdil, player A (just logged on) entered and used an action that caused player B (a group member) to respond by hitting Angdil! this resulted in Elronds 'posse' attacking our group. Result 2 dead team members and 2 lost levels. Ouch!

I dont believe there will be a reimburse either!

My two pence: Actions should be banned in both XP and PK mode, this will stop the cheating accusations and stop mistakes like this from happening!
A happy person may not have the best of everything, but makes the best of everything.

Elestir
Posts: 231
Joined: Sat Feb 23, 2008 11:47 pm
Location: Olomouc, Czech Republic
Contact:

Re: Safe client actions

Post by Elestir » Sun Jun 08, 2008 2:32 pm

Everyone should be responsible for his actions. And yes I mean literally both manually executed ones and automatic ones executed by their client scripts. If you can't write client actions that are not abuseable, better don't write them at all.

On the other hand, an attempt to abuse client actions of other players is clearly malevolent act and should be dealt with appropriately. Ideally the abuser should reimburse those whom he damaged, but since that is not possible in MUME, he should get punished in extent proportional to the damage he has done.

Regarding reimbursement, it is upon a good will of the Ainur whether they reimburse or not. Reimbursement wouldn't hurt, but players who keep playing with unsafe actions should not expect getting reimbursed more than once for the same abuse.

ghalad
Posts: 20
Joined: Tue Mar 04, 2008 7:42 am
Location: United Kingdom

Re: Safe client actions

Post by ghalad » Mon Jun 09, 2008 9:18 am

Elestir wrote:Regarding reimbursement, it is upon a good will of the Ainur whether they reimburse or not. Reimbursement wouldn't hurt, but players who keep playing with unsafe actions should not expect getting reimbursed more than once for the same abuse.
I totally agree with this, I have also been informed that a reimburse was given shortly after my original post.
A happy person may not have the best of everything, but makes the best of everything.

Kalev
Vala (Mudller)
Posts: 63
Joined: Sat Feb 23, 2008 9:56 pm
Contact:

Re: Safe client actions

Post by Kalev » Mon Jun 16, 2008 8:34 am

Could someone please explain how to do it safely in JMC?

Last night the idiot decided to hit again, trying to abuse actions. There were several JMC users who were suffering from this, most notably Elaril who even posted a log on ElvenRunes.

Having only used powwow, I have no clue about JMC scripting. But surely there must be some clueful readers here!

Sigurd
Posts: 3
Joined: Mon Feb 25, 2008 1:53 pm
Location: Tallinn, Estonia

Re: Safe client actions

Post by Sigurd » Tue Jun 17, 2008 7:51 am

It would be nice if 'reply' would be in game command. Then there would be no need for such client actions. Grouptell would be nice too.

Timodeus
Arata
Posts: 301
Joined: Sun Feb 24, 2008 9:20 am
Location: Germany

Re: Safe client actions

Post by Timodeus » Tue Jun 17, 2008 8:46 am

That's not the point. If some ret^H^H^Hpeople stop triggering on communication-actions they may start to trigger your coin-loot-actions, your auto-group-actions, your ride-actions, your ZBLAM-action, maybe even your (illegal!) auto-track-action... the only way to prevent abuse like that is to use save actions.

dianos
Posts: 67
Joined: Sat Mar 22, 2008 11:47 pm

Re: Safe client actions

Post by dianos » Tue Jun 17, 2008 3:44 pm

For JMC, I don't think there is a way to reference single words in actions, I'm pretty sure it can only deal with strings. The following action is what people probably have:
#action {^%1 tells you} {#var friend %1}
That action is unsafe, because something like this would get you into trouble...
emote ; remove all; drop all; change mood be; kill Elrond; tells you to get stuffed.
The only solution I know of is to do this:
#action {^%1 tells you} {#var friend {%%1}}
The result is that 'friend' will be set to the entire string instead of just the bit before the first semi-colon. It isn't the ideal solution, but at least it is safe to use.

As a side note, these kinds of actions are pretty convenient in general... in particular, they might be useful for quickly communicating in PK situations. I was under the impression that no action that helps in PK is legal. Does that mean that this action is illegal?

ghalad
Posts: 20
Joined: Tue Mar 04, 2008 7:42 am
Location: United Kingdom

Re: Safe client actions

Post by ghalad » Tue Jun 17, 2008 6:29 pm

It is my belief that all actions in PK situations are illegal and this one that I totally back. Even such non direct actions such as 'allowing to communicate faster', provide an unfair advantage, if that communication allows for better group coordination.
A happy person may not have the best of everything, but makes the best of everything.

Elestir
Posts: 231
Joined: Sat Feb 23, 2008 11:47 pm
Location: Olomouc, Czech Republic
Contact:

Re: Safe client actions

Post by Elestir » Tue Jun 17, 2008 6:45 pm

ghalad wrote:It is my belief that all actions in PK situations are illegal and this one that I totally back. Even such non direct actions such as 'allowing to communicate faster', provide an unfair advantage, if that communication allows for better group coordination.
Reply action/aliases still give smaller advantage than if group of players is playing from one lab or if they are using headsets to communicate etc. Ideally no actions should be necessary. When some kind of action can give an unfair advantage, for me it's a proof of poor game design. Hardcode reply, and problem is solved. And for other features that encourage usage of actions, simply change them so they do not. There is always a way.

Wobbler
Posts: 393
Joined: Mon Feb 25, 2008 10:02 pm

Re: Safe client actions

Post by Wobbler » Sun Jun 22, 2008 4:09 pm

I don't think anyone who has ever answered "yes" to the question "Are you an experienced MUME player" should be reimbursed for failing to programme his client properly. As long as people get reimbursed, the vast majority just won't bother about fixing their settings.
Inexperienced players should, of course, be allowed to display a lack of experience once or twice.

To further faciliate this, I once again suggest that a subforum for client discussions be installed, where people can share their knowledge of client programming to help those who want to use one but don't know how to programme it yet. I'm confident one of the people who know how to write proper actions even in JMC would be willing to post a basic howto.
Politicians are wise and benevolent and will gladly sacrifice themselves for the common good. Anyone who implies that there might exist dishonest politicians is obviously a terrorist who should be locked up indefinitely without a trial.

Elestir
Posts: 231
Joined: Sat Feb 23, 2008 11:47 pm
Location: Olomouc, Czech Republic
Contact:

Re: Safe client actions

Post by Elestir » Wed Jun 25, 2008 10:36 am

Since some clients don't have the features of powwow which help with this issue, you often have to improvise. In most clients, following approach to deal with dangerous actions is possible: Simply define action of higher priority (usually the action defined earlier) which filters out the dangerous looking input. Example in powwow:

#action >fake_follows ^&1\;&2 starts following you.={#print;#print Fake "follows" message detected!}
#action >follows ^&1 starts following you.={#print;group $1}

Note: If the mud uses ansi color sequences in these messages, you have to add these into your actions. (ansi color sequences contain semicolons which could confuse the fake_follows action that is unaware of these sequences).

Jahara
Posts: 228
Joined: Sat Feb 23, 2008 9:55 pm
Location: Indiana, USA
Contact:

Re: Safe client actions

Post by Jahara » Wed Jun 25, 2008 9:55 pm

There is a scripts section on the wiki. If anyone wants to improve it or add their scripts to it, feel welcome to!

I have added some of my scripts to the powwow and powtty sections.

Mandor
Posts: 65
Joined: Mon Feb 25, 2008 8:23 pm
Location: Stockholm / Sweden

Re: Safe client actions

Post by Mandor » Fri Jul 11, 2008 9:50 pm

Lots of people want a safe reply trigger. Here's one I use, which only uses mume aliases!

Code: Select all

tr         ==> al r tell &
Very useful. Here's how to use it. Say you want to talk to Angdil alot, type "tr angdil", now you can send tells to him with "r hello, got any fine weapons on display today?"

Eldarion
Posts: 1
Joined: Sat Mar 07, 2009 6:05 pm

Re: Safe client actions

Post by Eldarion » Sat Mar 07, 2009 7:55 pm

Mandor wrote:Lots of people want a safe reply trigger. Here's one I use, which only uses mume aliases!

Code: Select all

tr         ==> al r tell &
t is short for tell (or te if you have t set to an alias, etc.).

Brings memories of my old command abbreviations correspondance with Dáin. Ah!

Locked