diff options
author | piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204> | 2005-07-03 15:10:38 +0800 |
---|---|---|
committer | piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204> | 2005-07-03 15:10:38 +0800 |
commit | a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8 (patch) | |
tree | 2c99185aec035b80ae4d5496e4f125b4e9e78492 /mbbsd/kaede.c | |
parent | 76c447fca47270d730fe8258ad52e4696d097d55 (diff) | |
download | pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar.gz pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar.bz2 pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar.lz pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar.xz pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.tar.zst pttbbs-a2a653b72c1f5c6920f03d13a52b0a2ea3631cb8.zip |
Security Update
(1) **s (Ptt_prints):
Only information can be queried by others will be revealed.
i.e., **b(birthday), **u(utmp number) will be removed
**m(money) will show level messages instead of real number
(2) Reply will show as **X instead of converted message
(3) Ansi (^V) mode in editor will display as **X.
git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@2878 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
Diffstat (limited to 'mbbsd/kaede.c')
-rw-r--r-- | mbbsd/kaede.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/mbbsd/kaede.c b/mbbsd/kaede.c index c0b1ed23..b7f4ad56 100644 --- a/mbbsd/kaede.c +++ b/mbbsd/kaede.c @@ -25,6 +25,9 @@ Ptt_prints(char *str, int mode) strlcpy(strbuf+w, Cdate(&now), sizeof(strbuf)-w); w += strlen(strbuf+w); break; + + /* disabled for security issue. + * we support only entries can be queried by others now. case 'u': w += snprintf(&strbuf[w], sizeof(strbuf) - w, "%d", SHM->UTMPnumber); @@ -33,6 +36,8 @@ Ptt_prints(char *str, int mode) w += snprintf(&strbuf[w], sizeof(strbuf) - w, "%d/%d", cuser.month, cuser.day); break; + */ + case 'l': w += snprintf(&strbuf[w], sizeof(strbuf) - w, "%d", cuser.numlogins); @@ -47,7 +52,7 @@ Ptt_prints(char *str, int mode) break; case 'm': w += snprintf(&strbuf[w], sizeof(strbuf) - w, - "%d", cuser.money); + "%s", money_level(cuser.money)); break; /* It's saver not to send these undefined escape string. default: |