Geas MUD, enter the Aventure!
Geas Home | Play the Game

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

3.6 Mapping/Array security

The problem, as indicated in chapter 2.2.9 earlier, is that mappings and arrays aren't copied every time they are moved around. Instead only a reference is passed. This is the basis for a lot of security blunders in the code. Consider this example where the object is a guild object that handles the membership of a guild. The global string Council which is saved elsewhere using save_object() contains the list of guild members.

string *Council;

public string
    return Council;

This looks all right, but... in fact you return the pointer to the original array. If someone else wants to add a member to your guild council he only has to do this:

    string *stolen_council;

    stolen_council = YOUR_GUILD_OB->query_council();

    stolen_council += ({ "olorin" }); // Add Olorin to the council

How to fix this then? Well, simply modify your query_council() routine to return Council + ({}) instead, and all is well. Easy to miss, but... sooooo important!

This document was generated by Ronny Wikh on July, 8 2003 using texi2html