From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sun, 5 May 2019 20:37:43 +0000 (+0000)
Subject: Escape replacement macros in preferences
X-Git-Tag: 0.0.1~22
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=641a045ea5407a56626c7ea718efc7bbf5152ba1;hp=9ea1249e8e340f62483da7ea68d3c21b5e0018ea

Escape replacement macros in preferences

Don't let users inject replacement macros into their preferences,
just escape them so they're harmless. Also adjust the preferences
tests to include macros so this safety measure does not regress.
---

diff --git a/mudpy/command.py b/mudpy/command.py
index ebd9036..1138aa8 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -237,6 +237,10 @@ def move(actor, parameters):
 
 def preferences(actor, parameters):
     """List, view and change actor preferences."""
+
+    # Escape replacement macros in preferences
+    parameters = mudpy.misc.escape_macros(parameters)
+
     message = ""
     arguments = parameters.split()
     allowed_prefs = set()
diff --git a/mudpy/tests/selftest.py b/mudpy/tests/selftest.py
index 2325f62..d98755a 100644
--- a/mudpy/tests/selftest.py
+++ b/mudpy/tests/selftest.py
@@ -165,9 +165,9 @@ test_admin_setup = (
 
 test_preferences = (
     (0, "> ", "preferences"),
-    (0, r"prompt \x1b\[32m.*> ", "preferences prompt #"),
-    (0, r"# ", "preferences prompt"),
-    (0, r"#.*# ", "preferences prompt >"),
+    (0, r"prompt \x1b\[32m.*> ", "preferences prompt $(foo)"),
+    (0, r"\$\(foo\) ", "preferences prompt"),
+    (0, r"\$\(foo\).*\$\(foo\) ", "preferences prompt >"),
     (2, "> ", "preferences loglevel 0"),
     (2, "> ", "preferences"),
     (2, r"loglevel \x1b\[32m0\x1b\[0m.*> ", "preferences loglevel zero"),