Mercurial > hg > early-roguelike
changeset 66:c56f672244f4
arogue5: close security holes.
Prevent whoami (player name), file_name, and score_file from being
changed if the systemwide save location is being used.
| author | elwin |
|---|---|
| date | Sat, 11 Aug 2012 16:27:20 +0000 |
| parents | 7aff18a8d508 |
| children | c49f7927b0fa |
| files | arogue5/main.c arogue5/options.c arogue5/save.c |
| diffstat | 3 files changed, 49 insertions(+), 14 deletions(-) [+] |
line wrap: on
line diff
--- a/arogue5/main.c Fri Aug 10 21:17:14 2012 +0000 +++ b/arogue5/main.c Sat Aug 11 16:27:20 2012 +0000 @@ -92,7 +92,7 @@ if ((env = getenv("ROGUEOPTS")) != NULL) parse_opts(env); - if (whoami[0] == '\0') + if (!use_savedir && whoami[0] == '\0') strucpy(whoami, md_getusername(), strlen(md_getusername())); if (env == NULL || fruit[0] == '\0') { @@ -194,17 +194,20 @@ byebye(-1); } - if ((whoami == NULL) || (*whoami == '\0') || (strcmp(whoami,"dosuser")==0)) - { - echo(); - mvaddstr(23,2,"Rogue's Name? "); - wgetnstr(stdscr,whoami,LINELEN); - noecho(); + if (!use_savedir) { + if ((whoami == NULL) || (*whoami == '\0') || + (strcmp(whoami,"dosuser")==0)) + { + echo(); + mvaddstr(23,2,"Rogue's Name? "); + wgetnstr(stdscr,whoami,LINELEN); + noecho(); + } + + if ((whoami == NULL) || (*whoami == '\0')) + strcpy(whoami,"Rodney"); } - if ((whoami == NULL) || (*whoami == '\0')) - strcpy(whoami,"Rodney"); - setup(); /* * Set up windows
--- a/arogue5/options.c Fri Aug 10 21:17:14 2012 +0000 +++ b/arogue5/options.c Sat Aug 11 16:27:20 2012 +0000 @@ -38,6 +38,7 @@ get_bool(), put_str(), get_str(), + get_restr(), put_abil(), get_abil(), get_quest(), @@ -57,19 +58,34 @@ {"pickup", "Pick things up automatically: ", (int *) &auto_pickup, put_bool, get_bool }, {"name", "Name: ", - (int *) whoami, put_str, get_str }, + (int *) whoami, put_str, get_restr }, {"fruit", "Fruit: ", (int *) fruit, put_str, get_str }, {"file", "Save file: ", - (int *) file_name, put_str, get_str }, + (int *) file_name, put_str, get_restr }, {"score", "Score file: ", - (int *) score_file, put_str, get_str }, + (int *) score_file, put_str, get_restr }, {"class", "Character class: ", (int *)&char_type, put_abil, get_abil }, {"quest", "Quest item: ", (int *) &quest_item, put_quest, get_quest } }; +/* For fields that would be restricted if use_savedir is set. */ +int get_restr(char *optstr, WINDOW *win) +{ + int oy, ox; + + if (use_savedir) + { + getyx(win, oy, ox); + put_str(optstr, win); + return get_ro(win, oy, ox); + } + else + return get_str(optstr, win); +} + /* * The ability field is read-only */ @@ -343,6 +359,11 @@ * Look it up and deal with it */ for (op = optlist; op <= &optlist[NUM_OPTS-1]; op++) + /* None of these can be changed if using system savefiles. */ + if (use_savedir && (!strcmp(op->o_name, "name") || + !strcmp(op->o_name, "file") || + !strcmp(op->o_name, "score") )) + continue; if (EQSTR(str, op->o_name, len)) { if (op->o_putfunc == put_bool) /* if option is a boolean */
--- a/arogue5/save.c Fri Aug 10 21:17:14 2012 +0000 +++ b/arogue5/save.c Sat Aug 11 16:27:20 2012 +0000 @@ -41,7 +41,10 @@ mpos = 0; if (file_name[0] != '\0') { - msg("Save file (%s)? ", file_name); + if (use_savedir) + msg("Save game? "); + else + msg("Save file (%s)? ", file_name); do { c = readchar(); @@ -53,6 +56,10 @@ msg("File name: %s", file_name); goto gotfile; } + if (use_savedir) { + msg(""); + return FALSE; + } } do @@ -69,7 +76,11 @@ strcpy(file_name, buf); gotfile: if ((savef = fopen(file_name, "w")) == NULL) + { msg(strerror(errno)); /* fake perror() */ + if (use_savedir) + return FALSE; + } } while (savef == NULL); /*