Complete.Org: Mailing Lists: Archives: freeciv-dev: January 2005:
[Freeciv-Dev] (PR#11851) Hack request should verify userid in addition t

[Freeciv-Dev] (PR#11851) Hack request should verify userid in addition t

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Subject: [Freeciv-Dev] (PR#11851) Hack request should verify userid in addition to random string
From: "Ed Overton" <edoverton@xxxxxxxxxx>
Date: Thu, 13 Jan 2005 20:49:04 -0800
Reply-to: bugs@xxxxxxxxxxx

<URL: >

> [vasc - Tue Jan 11 13:40:53 2005]:
> On Mon, 10 Jan 2005, Ed Overton wrote:

> > ...  My intent is to add the
> > environment variable check to the existing filesystem check.
> Oh, I would go even further than that and replace the filesystem check
> altogether.

That concerns me a little.  If the filesystem check isn't there, then a
remote cracked client could just try a bunch of keys until it finds one
that works.  That issue becomes even more critical given that there's no
encryption - so a malicious user could sniff packets to see the valid
key (in plaintext), then simply submit that identical key from the
user's client.

The filesystem check is doing good work that the environment variable
check cannot duplicate:  it ensures that the client and server are both
on the same machine (and as discussed before, hopefully it's also
validating that the client can write into the file space owned by the
userid running the server, thereby implying that the two processes are
owned by the same userid).  In that context, I think it makes sense to
leave the filesystem check in place.

> > I'll take a crack at it in the next day or two.

So much for that.  Hopefully I'll have some time this weekend.


[Prev in Thread] Current Thread [Next in Thread]