So there is a major potential security issue for my Forum library (and potentially for anything using prompt()) that's been on my mind, and I wanted to get some input before I attempt to plug it, if it needs to be plugged.
The issue is how possible it is for people to crash or hack a game by making very large text entries into a prompt() window, or into a form text field. A classic example (which I haven't tried yet but should) is taking the text from a dictionary available on most Unix systems and dumping it into a field.
Does DM do any size checking on the text? Would it just run the machine out of memory or could someone potentially insert code at the end of such a string?
If this is a vulnerability, any thoughts on the best way to code around it?
ID:138415
 Aug 30 2000, 10:11 am
|
|
On 9/14/00 7:28 am Dan wrote:
There is a built-in limit in the size of the network packets that the client and server use to communicate. Currently, it is 65535 bytes, which is large, but not so large as to really do any damage. I would like to provide configurable limits on the size of files which may be uploaded, since players could theoretically upload huge files to try to fill up the server's disk space. Likewise I will add size checking to the Forum code so that people can't make entries over, oh, 10k bytes. They can post multiple messages if they really need to. | |
There is a built-in limit in the size of the network packets that the client and server use to communicate. Currently, it is 65535 bytes, which is large, but not so large as to really do any damage.
Note that this limitation does not affect the size of files which may be uploaded, because those are split into multiple packets. It's just the other messages like verb and prompt input that are confined to a single packet.
I would like to provide configurable limits on the size of files which may be uploaded, since players could theoretically upload huge files to try to fill up the server's disk space.
--Dan