X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=blobdiff_plain;f=mudpy%2Fcommand.py;h=279da788d9c63389b55af720f9bf3dca1ea78fa5;hp=0ffff978407e74298886cf762e1a51b0a7e00952;hb=0de1cbedcdff936f461aa6b9421cb925295bba10;hpb=bf6ed46991ffdc587d4e70362a4bd20d6f84fcee diff --git a/mudpy/command.py b/mudpy/command.py index 0ffff97..279da78 100644 --- a/mudpy/command.py +++ b/mudpy/command.py @@ -1,6 +1,6 @@ """User command functions for the mudpy engine.""" -# Copyright (c) 2004-2019 mudpy authors. Permission to use, copy, +# Copyright (c) 2004-2020 mudpy authors. Permission to use, copy, # modify, and distribute this software is granted under terms # provided in the LICENSE file distributed with this software. @@ -23,6 +23,7 @@ def chat(actor, parameters): actor.send("Exiting chat mode.") else: actor.send("Sorry, but you're already busy with something else!") + return True def create(actor, parameters): @@ -57,6 +58,7 @@ def create(actor, parameters): elif len(arguments) > 2: message = "You can only specify an element and a filename." actor.send(message) + return True def delete(actor, parameters): @@ -84,6 +86,7 @@ def delete(actor, parameters): + '". Try "show element ' + element + '" for verification.') actor.send(message) + return True def destroy(actor, parameters): @@ -105,13 +108,16 @@ def destroy(actor, parameters): 6 ) actor.send(message) + return True def error(actor, input_data): """Generic error for an unrecognized command word.""" # 90% of the time use a generic error - if random.randrange(10): + # Allow the random.randrange() call in bandit since it's not used for + # security/cryptographic purposes + if random.randrange(10): # nosec message = '''I'm not sure what "''' + input_data + '''" means...''' # 10% of the time use the classic diku error @@ -125,6 +131,7 @@ def error(actor, input_data): mudpy.misc.log( 'Sending a command error to user %s raised exception...\n%s' % ( actor.owner.account.get("name"), traceback.format_exc())) + return True def halt(actor, parameters): @@ -145,6 +152,7 @@ def halt(actor, parameters): # set a flag to terminate the world actor.universe.terminate_flag = True + return True def help(actor, parameters): @@ -163,7 +171,7 @@ def help(actor, parameters): description = command.get("description") if not description: description = "(no short description provided)" - if command.get("administrative"): + if command.is_restricted(): output = "$(red)" else: output = "$(grn)" @@ -186,7 +194,7 @@ def help(actor, parameters): if actor.can_run(command): if really_see_also: really_see_also += ", " - if command.get("administrative"): + if command.is_restricted(): really_see_also += "$(red)" else: really_see_also += "$(grn)" @@ -236,7 +244,7 @@ def help(actor, parameters): "description", "(no short description provided)") # administrative command names are in red, others in green - if command.get("administrative"): + if command.is_restricted(): color = "red" else: color = "grn" @@ -251,6 +259,7 @@ def help(actor, parameters): # send the accumulated output to the user actor.send(output) + return True def look(actor, parameters): @@ -259,6 +268,7 @@ def look(actor, parameters): actor.send("You can't look at or in anything yet.") else: actor.look_at(actor.get("location")) + return True def move(actor, parameters): @@ -269,6 +279,7 @@ def move(actor, parameters): actor.move_direction(portal) return(portal) actor.send("You cannot go that way.") + return True def preferences(actor, parameters): @@ -316,6 +327,7 @@ def preferences(actor, parameters): 'Preference "%s" cannot be set to type "%s".' % ( pref, type(value))) actor.send(message) + return True def quit(actor, parameters): @@ -323,6 +335,7 @@ def quit(actor, parameters): if actor.owner: actor.owner.state = "main_utility" actor.owner.deactivate_avatar() + return True def reload(actor, parameters): @@ -339,6 +352,7 @@ def reload(actor, parameters): # set a flag to reload actor.universe.reload_flag = True + return True def say(actor, parameters): @@ -422,6 +436,7 @@ def say(actor, parameters): # there was no message else: actor.send("What do you want to say?") + return True def c_set(actor, parameters): @@ -459,6 +474,7 @@ def c_set(actor, parameters): + '". Try "show element ' + element + '" for verification.') actor.send(message) + return True def show(actor, parameters): @@ -537,7 +553,12 @@ def show(actor, parameters): message = "You need to specify an expression." else: try: - message = repr(eval(" ".join(arguments[1:]))) + # there is no other option than to use eval() for this, since + # its purpose is to evaluate arbitrary expressions, so do what + # we can to secure it and allow it for bandit analysis + message = repr(eval( # nosec + " ".join(arguments[1:]), + {"mudpy": mudpy, "universe": actor.universe})) except Exception as e: message = ("$(red)Your expression raised an exception...$(eol)" "$(eol)$(bld)%s$(nrm)" % e) @@ -574,3 +595,4 @@ def show(actor, parameters): else: message = '''I don't know what "''' + parameters + '" is.' actor.send(message) + return True