Safe client actions
Posted: Mon Feb 25, 2008 3:09 pm
Since we just got hit by yet another idiot who thought it was fun to abuse unsafe actions to make people do bad things, here's a thread on how to make your client actions safe.
For powwow, here is the explanation from the powwow helpfile
http://mume.pvv.org/Download/clients/po ... owhelp.txt.
-----------------------------------------------------------
SECURITY
When you define an #action that automatically sends something back to
the MUD you are connected to, you must be VERY careful since you may
allow other players to force you to execute commands.
Let's explain better: Suppose you define the following #action:
#action >+autogroup ^&1 starts following you.={#print;group $1}
Even though this may look harmless, such an action is potentially
lethal, for the following reason:
If you receive a text from the MUD containing something like
Cauldron ;remove all;drop all;kill dragon starts following you.
(for example it may be an emote, many MUDs allow it)
powwow will realize that the line matches with the action you defined
(remember that &n can match text of every length, even if containing
spaces or ; ) and will execute this:
{#print;group Cauldron ;remove all;drop all;kill dragon}
The consequences of such a command can be easily imagined...
There are two strategies to avoid such embarassing situations:
1) Use #send and calculator. In fact this is NOT dangerous:
#action >+autogroup ^&1 starts following you.=
{#print;#send ("group "+$(1))}
(in the worst case you will send some semicolon-separated commands
to the MUD, but I saw no MUDs accepting multiple commands as clients
do...):
2) Try to use $n instead of &n, so that semicolons and spaces
are skipped.
#action >+autogroup ^$1 starts following you.=
{#print;group $1}
WARNING:
versions older than 0.7a were bugged and they did NOT skip
semicolons (but they skipped spaces), so also using $n was
dangerous!
If you really need to use a &n, check you are not losing security,
and if you cannot write safe code, use calculator as in point 1).
Note that this is NOT dangerous too:
#action >+autogroup ^&1 starts following you.=group $1
since if someone tries to force you as explained above
it will not work, because #action allows only ONE command to follow
the pattern and you did not place braces around "group $1",
so only the first command (in this case "group <name>")
will be executed.
In every case, remember the best strategy is: check what you are doing,
and do not lose control. If you are not sure a command is safe, better
not to use it.
-----------------------------------------------------------
For powwow, here is the explanation from the powwow helpfile
http://mume.pvv.org/Download/clients/po ... owhelp.txt.
-----------------------------------------------------------
SECURITY
When you define an #action that automatically sends something back to
the MUD you are connected to, you must be VERY careful since you may
allow other players to force you to execute commands.
Let's explain better: Suppose you define the following #action:
#action >+autogroup ^&1 starts following you.={#print;group $1}
Even though this may look harmless, such an action is potentially
lethal, for the following reason:
If you receive a text from the MUD containing something like
Cauldron ;remove all;drop all;kill dragon starts following you.
(for example it may be an emote, many MUDs allow it)
powwow will realize that the line matches with the action you defined
(remember that &n can match text of every length, even if containing
spaces or ; ) and will execute this:
{#print;group Cauldron ;remove all;drop all;kill dragon}
The consequences of such a command can be easily imagined...
There are two strategies to avoid such embarassing situations:
1) Use #send and calculator. In fact this is NOT dangerous:
#action >+autogroup ^&1 starts following you.=
{#print;#send ("group "+$(1))}
(in the worst case you will send some semicolon-separated commands
to the MUD, but I saw no MUDs accepting multiple commands as clients
do...):
2) Try to use $n instead of &n, so that semicolons and spaces
are skipped.
#action >+autogroup ^$1 starts following you.=
{#print;group $1}
WARNING:
versions older than 0.7a were bugged and they did NOT skip
semicolons (but they skipped spaces), so also using $n was
dangerous!
If you really need to use a &n, check you are not losing security,
and if you cannot write safe code, use calculator as in point 1).
Note that this is NOT dangerous too:
#action >+autogroup ^&1 starts following you.=group $1
since if someone tries to force you as explained above
it will not work, because #action allows only ONE command to follow
the pattern and you did not place braces around "group $1",
so only the first command (in this case "group <name>")
will be executed.
In every case, remember the best strategy is: check what you are doing,
and do not lose control. If you are not sure a command is safe, better
not to use it.
-----------------------------------------------------------