Security Update

(1) **s (Ptt_prints):
    Only information can be queried by others will be revealed.
    i.e., **b(birthday), **u(utmp number) will be removed
          **m(money) will show level messages instead of real number
(2) Reply will show as **X instead of converted message
(3) Ansi (^V) mode in editor will display as **X.


git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@2878 63ad8ddf-47c3-0310-b6dd-a9e9d9715204

1 files changed, 6 insertions, 1 deletions

diff --git a/mbbsd/kaede.c b/mbbsd/kaede.c
index c0b1ed23..b7f4ad56 100644
--- a/mbbsd/kaede.c
+++ b/mbbsd/kaede.c
@@ -25,6 +25,9 @@ Ptt_prints(char *str, int mode)
 		    strlcpy(strbuf+w, Cdate(&now), sizeof(strbuf)-w);
 		    w += strlen(strbuf+w);
 		    break;
+
+		    /* disabled for security issue.
+		     * we support only entries can be queried by others now.
 		case 'u':
 		    w += snprintf(&strbuf[w], sizeof(strbuf) - w,
 				  "%d", SHM->UTMPnumber);
@@ -33,6 +36,8 @@ Ptt_prints(char *str, int mode)
 		    w += snprintf(&strbuf[w], sizeof(strbuf) - w,
 				  "%d/%d", cuser.month, cuser.day);
 		    break;
+		    */
+
 		case 'l':
 		    w += snprintf(&strbuf[w], sizeof(strbuf) - w,
 				  "%d", cuser.numlogins);
@@ -47,7 +52,7 @@ Ptt_prints(char *str, int mode)
 		    break;
 		case 'm':
 		    w += snprintf(&strbuf[w], sizeof(strbuf) - w,
-				  "%d", cuser.money);
+				  "%s", money_level(cuser.money));
 		    break;
 		/* It's saver not to send these undefined escape string. 
 		default: