 |
Math
Beginner
Joined: 25 Apr 2006
Posts: 10
|
 Posted: Sat May 06, 2006 12:45 pm
Trigger For Capturing Channel Output
|
I have a few triggers that capture messages from different channels displaying each channel in a different window. The triggers look like this:
| Code: |
#TRIGGER {^~[ Group~: (*) ~]~: '(*)'} {#WIN Group %ansi( gray)"------------------------------------------------------";#WIN Group %ansi( hi)%time( "h:nnA/P")"M ["%1"]: " %ansi( white)%2} "Chat" {case}
|
This sends all messages from the group channel to a group window, which looks like this:
| Code: |
------------------------------------------------------
8:29AM [Dryst]: Hi
------------------------------------------------------
8:33AM [You]: sorry lagging
|
This works okay, but as this trigger is, it can be exploited by a malicious user. Someone could send a message such as follows:
gt Hello;;;remove all;drop all
Unfortunately, zMUD would execute all those commands.
I attempted to correct this with the following change:
| Code: |
#TRIGGER {^~[ Group~: (*) ~]~: '(*)'} {#WIN Group %ansi( gray)"------------------------------------------------------";#WIN Group %ansi( hi)%time( "h:nnA/P")"M ["%1"]: " %ansi( white)%replace( %2,";","")} "Chat" {case}
|
This avoids the exploit I mentioned above, but it also cuases some messages to not be completely captured. I am not sure why this occurs though.
For example, if I send the following message with the non-exploitable version of the trigger:
| Code: |
gt This is a test: I have 1,234,567 platinum coins.
|
I receive only the following in the window for that channel's output:
| Code: |
8:42AM [You]: This is a test: I have 1
|
What am I doing wrong here? |
|
|
|
|
MattLofton
GURU
Joined: 23 Dec 2000
Posts: 4834
Location: USA
|
Posted: Sat May 06, 2006 8:59 pm
|
surround %2 with quotes, otherwise ZMud can't figure out which commas go where.
|
|
_________________
EDIT: I didn't like my old signature |
 |
|
|
Math
Beginner
Joined: 25 Apr 2006
Posts: 10
|
Posted: Sat May 06, 2006 9:32 pm
|
That worked. Thanks!
The quotes caused the syntax coloring to go away, but it still works. |
|
|
|
|
Math
Beginner
Joined: 25 Apr 2006
Posts: 10
|
Posted: Sun May 07, 2006 1:58 am
|
I slight change to the replace function I used improves this:
| Code: |
#TRIGGER {^~[ Group~: (*) ~]~: '(*)'} {#WIN Group %ansi( gray)"------------------------------------------------------";#WIN Group %ansi( hi)%time( "h:nnA/P")"M ["%1"]: " %ansi( white)%replace( "%2",";","~;")} "Chat" {case}
|
Now, the exploit attempt I posted above of: gt Hello;;;remove all;drop all
Would appear as follows in the output window:
| Code: |
------------------------------------------------------
9:50PM [Dryst]: Hello;;;remove all;drop all
|
|
|
|
|
|
|
|
|
