X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=blobdiff_plain;f=mudpy%2Fcommand.py;h=d72e4e3ea039cedf68b708770d2c2d9c73ad5810;hp=2b20b1a6d4b818e7be8f8efc149f09d99e1c8c13;hb=472e1de5356e4df0f099fe6a17ff6dab585314f3;hpb=a93dc77b0d77e622834f524e2060d516b47bbc58 diff --git a/mudpy/command.py b/mudpy/command.py index 2b20b1a..d72e4e3 100644 --- a/mudpy/command.py +++ b/mudpy/command.py @@ -6,6 +6,7 @@ import random import re +import traceback import unicodedata import mudpy @@ -110,15 +111,22 @@ def error(actor, input_data): """Generic error for an unrecognized command word.""" # 90% of the time use a generic error - if random.randrange(10): + # Whitelist the random.randrange() call in bandit since it's not used for + # security/cryptographic purposes + if random.randrange(10): # nosec message = '''I'm not sure what "''' + input_data + '''" means...''' # 10% of the time use the classic diku error else: message = "Arglebargle, glop-glyf!?!" - # send the error message - actor.send(message) + # try to send the error message, and log if we can't + try: + actor.send(message) + except Exception: + mudpy.misc.log( + 'Sending a command error to user %s raised exception...\n%s' % ( + actor.owner.account.get("name"), traceback.format_exc())) def halt(actor, parameters): @@ -257,10 +265,12 @@ def look(actor, parameters): def move(actor, parameters): """Move the avatar in a given direction.""" - if parameters in actor.universe.contents[actor.get("location")].portals(): - actor.move_direction(parameters) - else: - actor.send("You cannot go that way.") + for portal in sorted( + actor.universe.contents[actor.get("location")].portals()): + if portal.startswith(parameters): + actor.move_direction(portal) + return(portal) + actor.send("You cannot go that way.") def preferences(actor, parameters): @@ -272,22 +282,31 @@ def preferences(actor, parameters): message = "" arguments = parameters.split() allowed_prefs = set() + base_prefs = [] user_config = actor.universe.contents.get("mudpy.user") if user_config: - allowed_prefs.update(user_config.get("pref_allow", [])) + base_prefs = user_config.get("pref_allow", []) + allowed_prefs.update(base_prefs) if actor.owner.account.get("administrator"): allowed_prefs.update(user_config.get("pref_admin", [])) if not arguments: message += "These are your current preferences:" - for pref in allowed_prefs: - message += ("$(eol) $(red)%s $(grn)%s$(nrm)" - % (pref, actor.owner.account.get(pref))) + + # color-code base and admin prefs + for pref in sorted(allowed_prefs): + if pref in base_prefs: + color = "grn" + else: + color = "red" + message += ("$(eol) $(%s)%s$(nrm) - %s" % ( + color, pref, actor.owner.account.get(pref, ""))) + elif arguments[0] not in allowed_prefs: message += ( 'Preference "%s" does not exist. Try the `preferences` command by ' "itself for a list of valid preferences." % arguments[0]) elif len(arguments) == 1: - message += "%s" % actor.owner.account.get(arguments[0]) + message += "%s" % actor.owner.account.get(arguments[0], "") else: pref = arguments[0] value = " ".join(arguments[1:]) @@ -520,7 +539,12 @@ def show(actor, parameters): message = "You need to specify an expression." else: try: - message = repr(eval(" ".join(arguments[1:]))) + # there is no other option than to use eval() for this, since + # its purpose is to evaluate arbitrary expressions, so do what + # we can to secure it and whitelist it for bandit analysis + message = repr(eval( # nosec + " ".join(arguments[1:]), + {"mudpy": mudpy, "universe": actor.universe})) except Exception as e: message = ("$(red)Your expression raised an exception...$(eol)" "$(eol)$(bld)%s$(nrm)" % e)