diff options
| author | piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204> | 2008-01-02 12:24:48 +0800 |
|---|---|---|
| committer | piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204> | 2008-01-02 12:24:48 +0800 |
| commit | 8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35 (patch) | |
| tree | 2a86bf4379e5c2a905300e4066dd790a8f11d2fc | |
| parent | 78f43e8c18e2ad103ee3fc20490d6e29a50f9331 (diff) | |
| download | pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar.gz pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar.bz2 pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar.lz pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar.xz pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.tar.zst pttbbs-8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35.zip | |
- in the name of secure, let's remove the evil escape that reveals user
information - **b (birthday) and **m (money).
git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3771 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
| -rw-r--r-- | mbbsd/kaede.c | 44 | ||||
| -rw-r--r-- | mbbsd/pmore.c | 7 |
2 files changed, 24 insertions, 27 deletions
diff --git a/mbbsd/kaede.c b/mbbsd/kaede.c index 92b26885..d2c5da03 100644 --- a/mbbsd/kaede.c +++ b/mbbsd/kaede.c @@ -21,44 +21,36 @@ Ptt_prints(char *str, size_t size, int mode) else{ /* Note, w will increased by copied length after */ switch( str[++r] ){ - case 's': - strlcpy(strbuf+w, cuser.userid, size-w); - w += strlen(strbuf+w); - break; - case 'n': - strlcpy(strbuf+w, cuser.nickname, size-w); - w += strlen(strbuf+w); - break; - case 't': + + // secure content + + case 't': // current time strlcpy(strbuf+w, Cdate(&now), size-w); w += strlen(strbuf+w); break; - case 'u': + case 'u': // current online users w += snprintf(&strbuf[w], size - w, "%d", SHM->UTMPnumber); break; - case 'l': - w += snprintf(&strbuf[w], size - w, - "%d", cuser.numlogins); + + // insecure content + + case 's': // current user id + strlcpy(strbuf+w, cuser.userid, size-w); + w += strlen(strbuf+w); break; - case 'p': - w += snprintf(&strbuf[w], size - w, - "%d", cuser.numposts); + case 'n': // current user nickname + strlcpy(strbuf+w, cuser.nickname, size-w); + w += strlen(strbuf+w); break; - - /* disabled for security issue. - * we support only entries can be queried by others now. - */ -#ifdef LOW_SECURITY - case 'b': + case 'l': // current user logins w += snprintf(&strbuf[w], size - w, - "%d/%d", cuser.month, cuser.day); + "%d", cuser.numlogins); break; - case 'm': + case 'p': // current user posts w += snprintf(&strbuf[w], size - w, - "%d", cuser.money); + "%d", cuser.numposts); break; -#endif /* It's saver not to send these undefined escape string. default: diff --git a/mbbsd/pmore.c b/mbbsd/pmore.c index 44a405c6..afb07ecd 100644 --- a/mbbsd/pmore.c +++ b/mbbsd/pmore.c @@ -1394,7 +1394,12 @@ mf_display() buf[0] = '*'; else { - if(strchr("sbmlpn", buf[2]) != NULL) +#ifdef LOW_SECURITY +# define PTTPRINT_WARN_PATTERN "slpnbm" +#else +# define PTTPRINT_WARN_PATTERN "slpn" +#endif // LOW_SECURITY + if(strchr(PTTPRINT_WARN_PATTERN, buf[2]) != NULL) { override_attr = ANSI_COLOR(1;37;41); override_msg = PMORE_MSG_WARN_FAKEUSERINFO; |