From 8dcf7da5ab295eb2c441eb6cc427aaa6bfd76d35 Mon Sep 17 00:00:00 2001
From: piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Wed, 2 Jan 2008 04:24:48 +0000
Subject: - in the name of secure, let's remove the evil escape that reveals
 user information - **b (birthday) and **m (money).

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3771 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/kaede.c | 44 ++++++++++++++++++--------------------------
 mbbsd/pmore.c |  7 ++++++-
 2 files changed, 24 insertions(+), 27 deletions(-)

(limited to 'mbbsd')

diff --git a/mbbsd/kaede.c b/mbbsd/kaede.c
index 92b26885..d2c5da03 100644
--- a/mbbsd/kaede.c
+++ b/mbbsd/kaede.c
@@ -21,44 +21,36 @@ Ptt_prints(char *str, size_t size, int mode)
 	    else{
 		/* Note, w will increased by copied length after */
 		switch( str[++r] ){
-		case 's':
-		    strlcpy(strbuf+w, cuser.userid, size-w);
-		    w += strlen(strbuf+w);
-		    break;
-		case 'n':
-		    strlcpy(strbuf+w, cuser.nickname, size-w);
-		    w += strlen(strbuf+w);
-		    break;
-		case 't':
+
+			// secure content
+			
+		case 't':	// current time
 		    strlcpy(strbuf+w, Cdate(&now), size-w);
 		    w += strlen(strbuf+w);
 		    break;
-		case 'u':
+		case 'u':	// current online users
 		    w += snprintf(&strbuf[w], size - w,
 				  "%d", SHM->UTMPnumber);
 		    break;
-		case 'l':
-		    w += snprintf(&strbuf[w], size - w,
-				  "%d", cuser.numlogins);
+
+			// insecure content
+		
+		case 's':	// current user id
+		    strlcpy(strbuf+w, cuser.userid, size-w);
+		    w += strlen(strbuf+w);
 		    break;
-		case 'p':
-		    w += snprintf(&strbuf[w], size - w,
-				  "%d", cuser.numposts);
+		case 'n':	// current user nickname
+		    strlcpy(strbuf+w, cuser.nickname, size-w);
+		    w += strlen(strbuf+w);
 		    break;
-
-		    /* disabled for security issue.
-		     * we support only entries can be queried by others now.
-		     */
-#ifdef LOW_SECURITY
-		case 'b':
+		case 'l':	// current user logins
 		    w += snprintf(&strbuf[w], size - w,
-				  "%d/%d", cuser.month, cuser.day);
+				  "%d", cuser.numlogins);
 		    break;
-		case 'm':
+		case 'p':	// current user posts
 		    w += snprintf(&strbuf[w], size - w,
-				  "%d", cuser.money);
+				  "%d", cuser.numposts);
 		    break;
-#endif
 
 		/* It's saver not to send these undefined escape string. 
 		default:
diff --git a/mbbsd/pmore.c b/mbbsd/pmore.c
index 44a405c6..afb07ecd 100644
--- a/mbbsd/pmore.c
+++ b/mbbsd/pmore.c
@@ -1394,7 +1394,12 @@ mf_display()
 			    buf[0] = '*';
 			else
 			{
-			    if(strchr("sbmlpn", buf[2]) != NULL)
+#ifdef LOW_SECURITY
+# define PTTPRINT_WARN_PATTERN "slpnbm"
+#else
+# define PTTPRINT_WARN_PATTERN "slpn" 
+#endif // LOW_SECURITY
+			    if(strchr(PTTPRINT_WARN_PATTERN, buf[2]) != NULL)
 			    {
 				override_attr = ANSI_COLOR(1;37;41);
 				override_msg = PMORE_MSG_WARN_FAKEUSERINFO;
-- 
cgit v1.2.3