Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed possible exploit, improved existing code
Removed possibility for certain special characters to cause the script
to crash.  Made the chat command function more simple.  Removed use of
eval because it did basically nothing
  • Loading branch information
doomsider committed Jun 10, 2016
1 parent 8e90b2f commit 3332c5b
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 37 deletions.
12 changes: 7 additions & 5 deletions core/core_loops.dtsd
Expand Up @@ -89,16 +89,16 @@ core_logloop() {
IFS=$OLD_IFS
# Reset the database so the same command is not read repeatedly
mysql --defaults-extra-file=$CONFIGDTSD_INSTALLPATH/core/shadow.cnf -e "truncate table COMMANDDB;"
COMMANDARRAY=0
POSITIONCOMMANDARRAY=0
PARAMETERARRAY=0
# Go through each command and parameter received and execute them with eval
while [ -n "${RECIEVEDCOMMAND[$COMMANDARRAY]+set}" ]
while [ -n "${RECIEVEDCOMMAND[$POSITIONCOMMANDARRAY]+set}" ]
do
RECIEVEDCOMMAND=${RECIEVEDCOMMAND[$COMMANDARRAY]}
RECIEVEDCOMMAND=${RECIEVEDCOMMAND[$POSITIONCOMMANDARRAY]}
RECIEVEDPARAMETER=${RECIEVEDPARAMETER[$PARAMETERARRAY]}
#echo "executing $RECIEVEDCOMMAND $RECIEVEDPARAMETER"
eval $RECIEVEDCOMMAND '$RECIEVEDPARAMETER'
let COMMANDARRAY++
$RECIEVEDCOMMAND ${RECIEVEDPARAMETER}
let POSITIONCOMMANDARRAY++
let PARAMETERARRAY++
done
fi
Expand All @@ -108,6 +108,8 @@ core_logloop() {
fi
done
}
# Trap is used here to restart logloop if it exits due to a bad call
# trap core_logloop EXIT
core_makesearchdb() {
# Make the search database which contains all the search strings and their related functions
log_myerasetable SEARCHDB
Expand Down
54 changes: 22 additions & 32 deletions modules/chatfunctions.dtsd
Expand Up @@ -32,11 +32,11 @@ chat_log() {
CUTSTRING=${CUTSTRING#*=}
# Remove everything after ] to get message
MESSAGESTRING=${CUTSTRING%%]*}
echo "This was sent to chat log $@"
echo "This was the message $MESSAGESTRING"
echo "This was sender $SENDERNAME"
echo "This was receiver $RECEIVERNAME"
echo "This was receivertype $RECEIVERTYPE"
#echo "This was sent to chat log $@"
#echo "This was the message $MESSAGESTRING"
#echo "This was sender $SENDERNAME"
#echo "This was receiver $RECEIVERNAME"
#echo "This was receivertype $RECEIVERTYPE"
# [CHAT is error value for SENDERNAME
mysql --defaults-extra-file=$CONFIGDTSD_INSTALLPATH/core/shadow.cnf -e "INSERT INTO CHATLOG (SENDER, CHATSTRING, RECIEVER) VALUES (\"$SENDERNAME\",\"$MESSAGESTRING\",\"$RECEIVERNAME\");"
}
Expand Down Expand Up @@ -75,39 +75,29 @@ chat_commands() {
COMMANDARRAY=($MESSAGECUT)
USERCOMMAND=${COMMANDARRAY[0]}
USERCOMMAND=${USERCOMMAND^^}
USERCOMMAND="chatcommand_$USERCOMMAND"
USERPARAMETERS=${COMMANDARRAY[@]:1}
echo "User is $SENDERNAME"
echo "Command is $USERCOMMAND"
echo ${#USERCOMMAND}
echo "Parameters are $USERPARAMETERS"
echo "List of chat commands $CHATCOMMANDS[@]"
CHATCOMMANDARRAY=0
COMMANDFOUND=false
while [ -n "${CHATCOMMANDS[$CHATCOMMANDARRAY]+set}" ]
do
CURRENTCHATCOMMAND=${CHATCOMMANDS[$CHATCOMMANDARRAY]}
# echo "This is the current Chat Command $CURRENTCHATCOMMAND"
CUTCHATCOMMAND=${CURRENTCHATCOMMAND#*_}
# echo "This remove chatcommand to get only the command name $CUTCHATCOMMAND"
if [ "$CUTCHATCOMMAND" = "$USERCOMMAND" ]
#echo "List of chat commands ${CHATCOMMANDS[@]}"
if lib_arraycontains CHATCOMMANDS $USERCOMMAND
then
echo "Chat command found"
USERCOMMAND=${USERCOMMAND#*_}
if check_player_rank_allowed $USERCOMMAND $SENDERNAME
then
echo "Chat Command found"
COMMANDFOUND=true
if check_player_rank_allowed $USERCOMMAND $SENDERNAME
then
eval $CURRENTCHATCOMMAND "$SENDERNAME" $USERPARAMETERS
else
echo "Command not authorized"
lib_screensend $CONFIGDTSD_MAINSCREEN /pm $SENDERNAME "You do not have permission to use that command!"
fi
let CHATCOMMANDARRAY++
USERCOMMAND="chatcommand_$USERCOMMAND"
$USERCOMMAND "$SENDERNAME" $USERPARAMETERS
else
let CHATCOMMANDARRAY++
fi
done
if [ $COMMANDFOUND = false ]
then
lib_screensend $CONFIGDTSD_MAINSCREEN /pm $SENDERNAME "Unknown command. Please use !HELP for a list of the commands you can use"
fi
echo "Command not authorized"
lib_screensend $CONFIGDTSD_MAINSCREEN /pm $SENDERNAME "You do not have permission to use that command!"
fi
else
echo "No matching chat command"
lib_screensend $CONFIGDTSD_MAINSCREEN /pm $SENDERNAME "Unknown command. Please use !HELP for a list of the commands you can use"
fi
fi
}

0 comments on commit 3332c5b

Please sign in to comment.