--- deliantra/server/ext/login.ext	2006/12/27 15:04:38	1.8
+++ deliantra/server/ext/login.ext	2007/01/04 16:19:31	1.9
@@ -7,7 +7,10 @@
 
 my $PLAYERDIR = sprintf "%s/%s", cf::localdir, cf::playerdir;
 
-# testbed for coroutines in crossfire :
+# paranoia function to overwrite a string-in-place
+sub nuke_str {
+   substr $_[0], 0, (length $_[0]), "x" x length $_[0]
+}
 
 sub query {
    my ($ns, $flags, $text) = @_;
@@ -147,6 +150,7 @@
             my $hash = $1;
 
             if ($hash eq crypt $pass, $hash) {
+               nuke_str $pass;
                # password matches, wonderful
                my $pl = cf::player::load $plfile or next;
                $pl->enable_save (1);
@@ -162,6 +166,7 @@
                   cf::NDI_RED
                );
 
+               #TODO: nuke_str
                (query $ns, cf::CS_QUERY_SINGLECHAR, "Delete existing account and create a new one (Y/N)?") =~ /^[yY]/
                   or next;
 
@@ -173,6 +178,8 @@
 
                # fall through to creation
             } else {
+               nuke_str $pass;
+
                Coro::Timer::sleep 1;
 
                $ns->send_drawinfo (
@@ -192,6 +199,8 @@
          my $pass2 = query $ns, cf::CS_QUERY_HIDEINPUT, "Please type your password again.";
 
          if ($pass2 ne $pass) {
+            nuke_str $pass;
+            nuke_str $pass2;
             $ns->send_drawinfo (
                "The passwords do not match, please try again.",
                cf::NDI_RED
@@ -199,9 +208,12 @@
             next;
          }
 
+         nuke_str $pass2;
+
          my $pl = cf::player::create;
          $pl->ob->name ($user);
          $pl->password (crypt $pass, join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]);
+         nuke_str $pass;
          $pl->connect ($ns);
 
          my $ob = $pl->ob;