Complete.Org: Mailing Lists: Archives: freeciv-dev: May 2005:
[Freeciv-Dev] (PR#11851) Hack request should verify userid in addition t
Home

[Freeciv-Dev] (PR#11851) Hack request should verify userid in addition t

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Cc: reinpost@xxxxxxxxxx
Subject: [Freeciv-Dev] (PR#11851) Hack request should verify userid in addition to random string
From: "Ed Overton" <edoverton@xxxxxxxxxx>
Date: Tue, 24 May 2005 10:16:12 -0700
Reply-to: bugs@xxxxxxxxxxx

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=11851 >

> [rp - Tue May 24 16:57:11 2005]:

> My question: it seems a lot cleaner and more secure to do away
> with all the special code and instead just let the client write
> a temporary startup file containing the /cmdlevel hack command,
> then make it invoke the server as
> 
>   civserver -r mygenerated.rc

> Let me know if there's something I'm missing.

That introduces two race conditions.  First, the .rc file might be
altered prior to the server reading it.  Second, and much more
significant, a startup .rc file must specify /cmdlevel hack first (or 
refer to a connection name).  However, the "right" client might not be
the first to contact the server - so the "wrong" client has a window of
opportunity to claim first (or to claim that connection name) prior to
the "right" one.



[Prev in Thread] Current Thread [Next in Thread]