--- deliantra/server/common/utils.C 2009/01/12 03:40:21 1.86
+++ deliantra/server/common/utils.C 2009/10/20 05:57:08 1.91
@@ -5,18 +5,19 @@
* Copyright (©) 2002,2007 Mark Wedel & Crossfire Development Team
* Copyright (©) 1992,2007 Frank Tore Johansen
*
- * Deliantra is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * Deliantra is free software: you can redistribute it and/or modify it under
+ * the terms of the Affero GNU General Public License as published by the
+ * Free Software Foundation, either version 3 of the License, or (at your
+ * option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see .
+ * You should have received a copy of the Affero GNU General Public License
+ * and the GNU General Public License along with this program. If not, see
+ * .
*
* The authors can be reached via e-mail to
*/
@@ -34,6 +35,7 @@
#include
#include
+#include
#include
#include
@@ -410,43 +412,26 @@
result[resultlen] = '\0';
}
-/**
- * Taking a string as an argument, mutate it into a string that looks like a list.
- * a 'list' for the purposes here, is a string of items, seperated by commas, except
- * for the last entry, which has an 'and' before it, and a full stop (period) after it.
- * This function will also strip all trailing non alphanumeric characters.
- * It does not insert an oxford comma.
+/******************************************************************************/
+
+/* Checks a player-provided string which will become the msg property of
+ * an object for dangerous input.
*/
-void
-make_list_like (char *input)
+bool
+msg_is_safe (const char *msg)
{
- char *p, tmp[MAX_BUF];
- int i;
+ bool safe = true;
- if (!input || strlen (input) > MAX_BUF - 5)
- return;
- /* bad stuff would happen if we continued here, the -5 is to make space for ' and ' */
+ /* Trying to cheat by getting data into the object */
+ if (!strncmp (msg, "endmsg", sizeof ("endmsg") - 1)
+ || strstr (msg, "\nendmsg"))
+ safe = false;
- strncpy (tmp, input, MAX_BUF - 5);
- /*trim all trailing commas, spaces etc. */
- for (i = strlen (tmp); !isalnum (tmp[i]) && i >= 0; i--)
- tmp[i] = '\0';
-
- strcat (tmp, ".");
-
- p = strrchr (tmp, ',');
- if (p)
- {
- *p = '\0';
- strcpy (input, tmp);
- p++;
- strcat (input, " and");
- strcat (input, p);
- }
- else
- strcpy (input, tmp);
+ /* Trying to make the object talk, and potentially access arbitrary code */
+ if (object::msg_has_dialogue (msg))
+ safe = false;
- return;
+ return safe;
}
/////////////////////////////////////////////////////////////////////////////
@@ -590,16 +575,20 @@
return len;
}
-const char *
-format (const char *format, ...)
+char *
+vformat (const char *format, va_list ap)
{
- static dynbuf_text buf;
-
- buf.clear ();
+ static dynbuf_text buf; buf.clear ();
+ buf.vprintf (format, ap);
+ return buf;
+}
+char *
+format (const char *format, ...)
+{
va_list ap;
va_start (ap, format);
- buf.vprintf (format, ap);
+ char *buf = vformat (format, ap);
va_end (ap);
return buf;