Top Posters
Top Uploaders
Users Online
Stats
» SmaugMuds » Bugfix Lists » AFKMud Bugfix List » AFKMud Bug Archive » [Bug] hset command does not v...
[Bug] hset command does not validate the level field
Pages:<< prev 1 next >>
SamsonBlack Hand
GroupAdministrators
Posts3,685
JoinedJan 1, 2002
Bug: hset command does not validate the level field
Danger: Low - Will allow immortals with access to the hset command to set any level on a help they wish.
Discovered in: AFKMud 1.77
Found by: Kiasyn
Fixed by: Kiasyn
---
help.c.c, do_hset
Locate:
Change to:
The hset command was just a bit too trusting of the input it received. No checks were made to see if the level supplied fell within an accepted range, and did not even verify if the input was numeric.
Danger: Low - Will allow immortals with access to the hset command to set any level on a help they wish.
Discovered in: AFKMud 1.77
Found by: Kiasyn
Fixed by: Kiasyn
---
help.c.c, do_hset
Locate:
if( !str_cmp( arg1, "level" ) )
{
pHelp->level = atoi( arg2 );
send_to_char( "Done.\r\n", ch );
return;
}
Change to:
if( !str_cmp( arg1, "level" ) )
{
int lev;
if( !is_number(arg2) )
{
send_to_char( "Level field must be numeric.\r\n", ch );
return;
}
lev = atoi(arg2);
if( lev < -1 || lev > get_trust(ch) )
{
send_to_char( "You can't set the level to that.\r\n", ch );
return;
}
pHelp->level = lev;
send_to_char( "Done.\r\n", ch );
return;
}
The hset command was just a bit too trusting of the input it received. No checks were made to see if the level supplied fell within an accepted range, and did not even verify if the input was numeric.
Pages:<< prev 1 next >>