1.0.2 fix for name security problem.

Latitudinarian Lobster myers at uwmacc.UUCP
Tue Jun 4 10:24:43 AEST 1985 

In 1.0.2, it is possible to specify a path name or a hack library file
name as the name for your character, which will trash any file already
existing with the name or path you specify (if it's writable by hack).
The lockfile opened will have a name consisting of the uid of the player
concatenated with their playername.
Here's the fix (two context diffs):

*** hack.main.c.old	Fri May 10 02:45:58 1985
--- hack.main.c	Fri May 24 17:40:36 1985
***************
*** 204,210
  		(void) signal(SIGQUIT,SIG_IGN);
  		(void) signal(SIGINT,SIG_IGN);
  		if(!locknum)
! 			(void) strcpy(lock,plname);
  		lockcheck();	/* sets lock if locknum != 0 */
  #ifdef WIZARD
  	} else {

--- 204,210 -----
  		(void) signal(SIGQUIT,SIG_IGN);
  		(void) signal(SIGINT,SIG_IGN);
  		if(!locknum)
! 			(void) sprintf(lock, "%d%s", getuid(), plname);
  		lockcheck();	/* sets lock if locknum != 0 */
  #ifdef WIZARD
  	} else {
***************
*** 286,292
  	flags.moonphase = phase_of_the_moon();
  	if(flags.moonphase == FULL_MOON) {
  		pline("You are lucky! Full moon tonight.");
! 		u.uluck++;
  	} else if(flags.moonphase == NEW_MOON) {
  		pline("Be careful! New moon tonight.");
  	}

--- 286,292 -----
  	flags.moonphase = phase_of_the_moon();
  	if(flags.moonphase == FULL_MOON) {
  		pline("You are lucky! Full moon tonight.");
!  		if(!u.uluck) u.uluck++;
  	} else if(flags.moonphase == NEW_MOON) {
  		pline("Be careful! New moon tonight.");
  	}
***************
*** 434,440
  	if(unlink(safelock) == -1)
  		error("Cannot unlink safelock.");
  	if(fd == -1) {
! 		error("cannot creat lock file.");
  	} else {
  		if(write(fd, (char *) &hackpid, sizeof(hackpid))
  		    != sizeof(hackpid)){

--- 434,440 -----
  	if(unlink(safelock) == -1)
  		error("Cannot unlink safelock.");
  	if(fd == -1) {
! 		error("cannot create lock file.");
  	} else {
  		if(write(fd, (char *) &hackpid, sizeof(hackpid))
  		    != sizeof(hackpid)){

*** hack.options.c.old	Fri May 24 16:09:39 1985
--- hack.options.c	Fri May 24 17:21:39 1985
***************
*** 92,97
  		  pline("The playername can be set only from HACKOPTIONS.");
  		  return;
  		}
  		op = index(opts,':');
  		if(!op) goto bad;
  		(void) strncpy(plname, op+1, sizeof(plname)-1);

--- 92,100 -----
  		  pline("The playername can be set only from HACKOPTIONS.");
  		  return;
  		}
+ 		/* security kludge; uwmacc!myers */
+ 		op = index(opts,'/');
+ 		if(op) goto bad;
  		op = index(opts,':');
  		if(!op) goto bad;
  		(void) strncpy(plname, op+1, sizeof(plname)-1);


-- 
Jeff Myers				The views above may or may not
University of Wisconsin-Madison		reflect the views of any other
Madison Academic Computing Center	person or group at UW-Madison.
ARPA: uwmacc!myers at wisc-rsch.ARPA
UUCP: ..!{harvard,ucbvax,allegra,heurikon,ihnp4,seismo}!uwvax!uwmacc!myers
BitNet: MYERS at MACCWISC

More information about the Comp.sources.bugs mailing list