From 641a045ea5407a56626c7ea718efc7bbf5152ba1 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Sun, 5 May 2019 20:37:43 +0000 Subject: [PATCH] Escape replacement macros in preferences Don't let users inject replacement macros into their preferences, just escape them so they're harmless. Also adjust the preferences tests to include macros so this safety measure does not regress. --- mudpy/command.py | 4 ++++ mudpy/tests/selftest.py | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/mudpy/command.py b/mudpy/command.py index ebd9036..1138aa8 100644 --- a/mudpy/command.py +++ b/mudpy/command.py @@ -237,6 +237,10 @@ def move(actor, parameters): def preferences(actor, parameters): """List, view and change actor preferences.""" + + # Escape replacement macros in preferences + parameters = mudpy.misc.escape_macros(parameters) + message = "" arguments = parameters.split() allowed_prefs = set() diff --git a/mudpy/tests/selftest.py b/mudpy/tests/selftest.py index 2325f62..d98755a 100644 --- a/mudpy/tests/selftest.py +++ b/mudpy/tests/selftest.py @@ -165,9 +165,9 @@ test_admin_setup = ( test_preferences = ( (0, "> ", "preferences"), - (0, r"prompt \x1b\[32m.*> ", "preferences prompt #"), - (0, r"# ", "preferences prompt"), - (0, r"#.*# ", "preferences prompt >"), + (0, r"prompt \x1b\[32m.*> ", "preferences prompt $(foo)"), + (0, r"\$\(foo\) ", "preferences prompt"), + (0, r"\$\(foo\).*\$\(foo\) ", "preferences prompt >"), (2, "> ", "preferences loglevel 0"), (2, "> ", "preferences"), (2, r"loglevel \x1b\[32m0\x1b\[0m.*> ", "preferences loglevel zero"), -- 2.11.0