Home
  • Home
  • About
    • Features
    • History
  • Play
  • Community
    • Elvenrunes
    • Discord
    • Links
    • Wiki
  • News
    • War
    • Game News
    • Web News
  • Resources
    • Newcomers
    • Help
    • Rules
    • Dictionary
    • Boards
    • Download
    • Restricted
  • Search

MUME Help
Index: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SECURE ACTIONS

Some idiots think it is fun to abuse unsafe actions to make people do bad things, here's a thread on how to make your client actions safe.

For powwow (and on the principle what unsafe-actions do), here is the explanation from the powwow helpfile:
http://mume.pvv.org/Download/clients/powtty/powwowhelp.txt (this version here is modified).

Security

When you define an #action that automatically sends something back to the MUD you are connected to, you must be VERY careful since you may allow other players to force you to execute commands.

Let's explain better: Suppose you define the following #action: 

  #action >+autogroup ^&1 starts following you.={#print;group $1}

Even though this may look harmless, such an action is potentially lethal, for the following reason:

If you receive a text from the MUD containing something like 

  Cauldron ;remove all;drop all;kill dragon starts following you.

It might have been an emote or a narrate…

powwow will realize that the line matches with the action you defined (remember that &n can match text of every length, even if containing spaces or ;) and will execute this: 

  {#print;group Cauldron ;remove all;drop all;kill dragon}

The consequences of such a command can be easily imagined… There are two strategies to avoid such embarassing situations:

  1. Use #send and calculator. In fact this is NOT dangerous: 

    #action >+autogroup ^&1 starts following you.= {#print;#send ("group "+$(1))}

    In the worst case you will send some semicolon-separated commands to the MUD, but MUME does not accept multiple commands as clients do.

  2. Try to use $n instead of &n, so that semicolons and spaces are skipped.

    #action >+autogroup ^$1 starts following you.= {#print;group $1}

Note the following is also NOT dangerous: 
  #action >+autogroup ^&1 starts following you.=group $1

since if someone tries to force you, as shown above, it will not work, because 

action allows only one command to follow the pattern and you did not place
braces around group $1, so only the first command (in this case group
<name>) will be executed.
In any case remember the best strategy is: check what you are doing and if you are not sure a command is safe, better do not use it.

Last words: You are responsible for your client and your actions. You will not get reimbursement for losses due to misconfigured clients, no matter if some idiot triggered something on purpose or not!

See also: HELP CLIENT, RULES ACTIONS

Generated on Sat Apr 24 10:55:33 2021

What is MUME?

MUME, Multi-Users in Middle-earth, is a multiplayer text-based online game based upon J. R. R. Tolkien’s Middle-earth during the epic wars of the late Third Age between the forces of the Dark Lord and the armies of the Free peoples. MUME is completely at no cost and has been continuously running, expanded, and remastered by a community of volunteers since 1991.

Ready to explore?
Play Now