Login
User Name:

Password:



Register

Forgot your password?
do_advance
Jun 27, 2026 10:32 am
By Remcon
Time spamming LOP1.6
Jun 17, 2026 4:03 pm
By Remcon
A Bash Startup Script
Feb 7, 2026 3:49 pm
By eldhamud
Force Skills
Jan 1, 2026 3:58 pm
By Elwood
Overland with Bitmaps
Jul 4, 2025 11:57 pm
By Samson
SillyMUD 1.2a
Author: J. Brothers, J. Sievert, et al
Submitted by: Samson
SillyMUD 1.1b
Author: J. Brothers, J. Sievert, et al
Submitted by: Samson
SWFotEFUSS 1.5.3
Author: Various
Submitted by: Samson
SWRFUSS 1.4.3
Author: Various
Submitted by: Samson
SmaugFUSS 1.9.8
Author: Various
Submitted by: Samson
Users Online
Anthropic, DuckDuckGo, Amazonbot

Members: 0
Guests: 40
Stats
Files
Topics
Posts
Members
Newest Member
512
3,813
19,727
593
TrinidadTr

» SmaugMuds » Bugfix Lists » AFKMud Bugfix List » AFKMud Bug Archive » [Bug] hset command does not v...
Forum Rules | Mark all | Recent Posts

[Bug] hset command does not validate the level field
< Newer Topic :: Older Topic > AFKMud 1.77

Pages:<< prev 1 next >>
Post is unread #1 Sep 10, 2006 4:02 pm   Last edited Sep 10, 2006 4:04 pm by Samson
Go to the top of the page
Go to the bottom of the page

Samson
Black Hand
GroupAdministrators
Posts3,708
JoinedJan 1, 2002

 
Bug: hset command does not validate the level field
Danger: Low - Will allow immortals with access to the hset command to set any level on a help they wish.
Discovered in: AFKMud 1.77
Found by: Kiasyn
Fixed by: Kiasyn

---

help.c.c, do_hset

Locate:
   if( !str_cmp( arg1, "level" ) )
   {
      pHelp->level = atoi( arg2 );
      send_to_char( "Done.\r\n", ch );
      return;
   }


Change to:
   if( !str_cmp( arg1, "level" ) )
   {
      int lev;

      if( !is_number(arg2) )
      {
         send_to_char( "Level field must be numeric.\r\n", ch );
         return;
      }

      lev = atoi(arg2);
      if( lev < -1 || lev > get_trust(ch) )
      {
         send_to_char( "You can't set the level to that.\r\n", ch );
         return;
      }
      pHelp->level = lev;
      send_to_char( "Done.\r\n", ch );
      return;
   }


The hset command was just a bit too trusting of the input it received. No checks were made to see if the level supplied fell within an accepted range, and did not even verify if the input was numeric.

Pages:<< prev 1 next >>