<URL: http://bugs.freeciv.org/Ticket/Display.html?id=39957 >

Jason Dorje Short wrote:
> But the point is that having HACK access allows you to write directly to 
> the filesystem, through the /save command among others.  HACK access 
> should only be given when you do not mind the user having write access. 
>   That is why the hack check is done the way it is now and the client is 
> supposed to be able to write to the file to get it.
AFAICT, there is no check in the server code that the client has write
access, nor that the file was properly deleted.  And the mask isn't
properly set, either.  There is no security reason for the process.

Madeline, where is your code?  The AUTH code here is cryptologically
unsound.  Did the AUTH code come from someplace special?  Is there any
reason to be backward compatible with anything?

Freeciv-dev mailing list

Reply via email to