From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sun, 5 May 2019 20:37:43 +0000 (+0000)
Subject: Escape replacement macros in preferences
X-Git-Tag: 0.0.1~22
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=641a045ea5407a56626c7ea718efc7bbf5152ba1

Escape replacement macros in preferences

Don't let users inject replacement macros into their preferences,
just escape them so they're harmless. Also adjust the preferences
tests to include macros so this safety measure does not regress.
---

diff --git a/mudpy/command.py b/mudpy/command.py
index ebd9036..1138aa8 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -237,6 +237,10 @@ def move(actor, parameters):
 
 def preferences(actor, parameters):
     """List, view and change actor preferences."""
+
+    # Escape replacement macros in preferences
+    parameters = mudpy.misc.escape_macros(parameters)
+
     message = ""
     arguments = parameters.split()
     allowed_prefs = set()
diff --git a/mudpy/tests/selftest.py b/mudpy/tests/selftest.py
index 2325f62..d98755a 100644
--- a/mudpy/tests/selftest.py
+++ b/mudpy/tests/selftest.py
@@ -165,9 +165,9 @@ test_admin_setup = (
 
 test_preferences = (
     (0, "> ", "preferences"),
-    (0, r"prompt \x1b\[32m.*> ", "preferences prompt #"),
-    (0, r"# ", "preferences prompt"),
-    (0, r"#.*# ", "preferences prompt >"),
+    (0, r"prompt \x1b\[32m.*> ", "preferences prompt $(foo)"),
+    (0, r"\$\(foo\) ", "preferences prompt"),
+    (0, r"\$\(foo\).*\$\(foo\) ", "preferences prompt >"),
     (2, "> ", "preferences loglevel 0"),
     (2, "> ", "preferences"),
     (2, r"loglevel \x1b\[32m0\x1b\[0m.*> ", "preferences loglevel zero"),