From cc5fc88fb2ae374ee4a91b3fc038ce1857b86be0 Mon Sep 17 00:00:00 2001 From: VladimirMangos Date: Wed, 7 Jan 2009 17:47:57 +0300 Subject: [PATCH] [7046] Do more security level checks in commands using HasLowerSecurity. Make use .account set addon safe for players. --- src/game/Chat.cpp | 43 +++++++++++++++++++++++---------- src/game/Chat.h | 3 ++- src/game/ChatHandler.cpp | 2 +- src/game/Level2.cpp | 48 +++++++------------------------------ src/game/Level3.cpp | 43 ++++++++++++++++----------------- src/mangosd/CliRunnable.cpp | 17 ++++--------- src/shared/revision_nr.h | 2 +- 7 files changed, 66 insertions(+), 92 deletions(-) diff --git a/src/game/Chat.cpp b/src/game/Chat.cpp index f21193476..b78aae2d6 100644 --- a/src/game/Chat.cpp +++ b/src/game/Chat.cpp @@ -627,29 +627,46 @@ bool ChatHandler::isAvailable(ChatCommand const& cmd) const return m_session->GetSecurity() >= cmd.SecurityLevel; } -bool ChatHandler::HasLowerSecurity(Player* target, uint64 guid) +bool ChatHandler::HasLowerSecurity(Player* target, uint64 guid, bool strong) { - uint32 target_sec; - - if (!sWorld.getConfig(CONFIG_GM_LOWER_SECURITY)) - return false; - - // allow everything from RA console - if (!m_session) - return false; + WorldSession* target_session = NULL; + uint32 target_account = 0; if (target) - target_sec = target->GetSession()->GetSecurity(); + target_session = target->GetSession(); else if (guid) - target_sec = accmgr.GetSecurity(objmgr.GetPlayerAccountIdByGUID(guid)); - else + target_account = objmgr.GetPlayerAccountIdByGUID(guid); + + if(!target_session && !target_account) { SendSysMessage(LANG_PLAYER_NOT_FOUND); SetSentErrorMessage(true); return true; } - if (m_session->GetSecurity() < target_sec) + return HasLowerSecurityAccount(target_session,target_account,strong); +} + +bool ChatHandler::HasLowerSecurityAccount(WorldSession* target, uint32 target_account, bool strong) +{ + uint32 target_sec; + + // ignore only for non-players for non strong checks (when allow apply command at least to same sec level) + if (m_session->GetSecurity() > SEC_PLAYER && !strong && !sWorld.getConfig(CONFIG_GM_LOWER_SECURITY)) + return false; + + // allow everything from console and RA console + if (!m_session) + return false; + + if (target) + target_sec = target->GetSecurity(); + else if (target_account) + target_sec = accmgr.GetSecurity(target_account); + else + return true; // caller must report error for (target==NULL && target_account==0) + + if (m_session->GetSecurity() < target_sec || strong && m_session->GetSecurity() <= target_sec) { SendSysMessage(LANG_YOURS_SECURITY_IS_LOW); SetSentErrorMessage(true); diff --git a/src/game/Chat.h b/src/game/Chat.h index 68abd1395..12352f88a 100644 --- a/src/game/Chat.h +++ b/src/game/Chat.h @@ -77,7 +77,8 @@ class ChatHandler virtual bool isAvailable(ChatCommand const& cmd) const; virtual bool needReportToTarget(Player* chr) const; - bool HasLowerSecurity(Player* target, uint64 guid); + bool HasLowerSecurity(Player* target, uint64 guid, bool strong = false); + bool HasLowerSecurityAccount(WorldSession* target, uint32 account, bool strong = false); void SendGlobalSysMessage(const char *str); diff --git a/src/game/ChatHandler.cpp b/src/game/ChatHandler.cpp index 1de6ca458..ea5061001 100644 --- a/src/game/ChatHandler.cpp +++ b/src/game/ChatHandler.cpp @@ -190,7 +190,7 @@ void WorldSession::HandleMessagechatOpcode( WorldPacket & recv_data ) Player *player = objmgr.GetPlayer(to.c_str()); uint32 tSecurity = GetSecurity(); - uint32 pSecurity = player ? player->GetSession()->GetSecurity() : 0; + uint32 pSecurity = player ? player->GetSession()->GetSecurity() : SEC_PLAYER; if(!player || tSecurity == SEC_PLAYER && pSecurity > SEC_PLAYER && !player->isAcceptWhispers()) { WorldPacket data(SMSG_CHAT_PLAYER_NOT_FOUND, (to.size()+1)); diff --git a/src/game/Level2.cpp b/src/game/Level2.cpp index 695564617..6ea8c6b6d 100644 --- a/src/game/Level2.cpp +++ b/src/game/Level2.cpp @@ -86,27 +86,11 @@ bool ChatHandler::HandleMuteCommand(const char* args) Player *chr = objmgr.GetPlayer(guid); - // check security - uint32 account_id = 0; - uint32 security = 0; - - if (chr) - { - account_id = chr->GetSession()->GetAccountId(); - security = chr->GetSession()->GetSecurity(); - } - else - { - account_id = objmgr.GetPlayerAccountIdByGUID(guid); - security = accmgr.GetSecurity(account_id); - } - - if(m_session && security >= m_session->GetSecurity()) - { - SendSysMessage(LANG_YOURS_SECURITY_IS_LOW); - SetSentErrorMessage(true); + // must have strong lesser security level + if(HasLowerSecurity (chr,guid,true)) return false; - } + + uint32 account_id = chr ? chr->GetSession()->GetAccountId() : objmgr.GetPlayerAccountIdByGUID(guid); time_t mutetime = time(NULL) + notspeaktime*60; @@ -152,27 +136,11 @@ bool ChatHandler::HandleUnmuteCommand(const char* args) Player *chr = objmgr.GetPlayer(guid); - // check security - uint32 account_id = 0; - uint32 security = 0; - - if (chr) - { - account_id = chr->GetSession()->GetAccountId(); - security = chr->GetSession()->GetSecurity(); - } - else - { - account_id = objmgr.GetPlayerAccountIdByGUID(guid); - security = accmgr.GetSecurity(account_id); - } - - if(m_session && security >= m_session->GetSecurity()) - { - SendSysMessage(LANG_YOURS_SECURITY_IS_LOW); - SetSentErrorMessage(true); + // must have strong lesser security level + if(HasLowerSecurity (chr,guid,true)) return false; - } + + uint32 account_id = chr ? chr->GetSession()->GetAccountId() : objmgr.GetPlayerAccountIdByGUID(guid); if (chr) { diff --git a/src/game/Level3.cpp b/src/game/Level3.cpp index f50fff61e..44f626210 100644 --- a/src/game/Level3.cpp +++ b/src/game/Level3.cpp @@ -696,7 +696,6 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args) std::string targetAccountName; uint32 targetAccountId = 0; - uint32 targetSecurity = 0; /// only target player different from self allowed (if targetPlayer!=NULL then not console) Player* targetPlayer = getSelectedPlayer(); @@ -710,13 +709,6 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args) arg2 = arg1; targetAccountId = targetPlayer->GetSession()->GetAccountId(); - targetSecurity = targetPlayer->GetSession()->GetSecurity(); - if(!accmgr.GetName(targetAccountId,targetAccountName)) - { - PSendSysMessage(LANG_ACCOUNT_NOT_EXIST,targetAccountName.c_str()); - SetSentErrorMessage(true); - return false; - } } else { @@ -733,7 +725,12 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args) } targetAccountId = accmgr.GetId(targetAccountName); - targetSecurity = accmgr.GetSecurity(targetAccountId); + if(!targetAccountId) + { + PSendSysMessage(LANG_ACCOUNT_NOT_EXIST,targetAccountName.c_str()); + SetSentErrorMessage(true); + return false; + } } int32 gm = (int32)atoi(arg2); @@ -744,12 +741,14 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args) return false; } - /// m_session==NULL only for console - uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE; - /// can set security level only for target with less security and to less security that we have /// This is also reject self apply in fact - if(targetSecurity >= plSecurity || uint32(gm) >= plSecurity ) + if(HasLowerSecurityAccount(NULL,targetAccountId,true)) + return false; + + /// account can't set security to same or grater level, need more power GM or console + uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE; + if (uint32(gm) >= plSecurity ) { SendSysMessage(LANG_YOURS_SECURITY_IS_LOW); SetSentErrorMessage(true); @@ -798,19 +797,10 @@ bool ChatHandler::HandleAccountSetPasswordCommand(const char* args) return false; } - uint32 targetSecurity = accmgr.GetSecurity(targetAccountId); - - /// m_session==NULL only for console - uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE; - /// can set password only for target with less security /// This is also reject self apply in fact - if (targetSecurity >= plSecurity) - { - SendSysMessage (LANG_YOURS_SECURITY_IS_LOW); - SetSentErrorMessage (true); + if(HasLowerSecurityAccount (NULL,targetAccountId,true)) return false; - } if (strcmp(szPassword1,szPassword2)) { @@ -6192,8 +6182,15 @@ bool ChatHandler::HandleAccountSetAddonCommand(const char* args) SetSentErrorMessage(true); return false; } + } + // Let set addon state only for lesser (strong) security level + // or to self account + if (m_session && m_session->GetAccountId () != account_id && + HasLowerSecurityAccount (NULL,account_id,true)) + return false; + int lev=atoi(szExp); //get int anyway (0 if error) if(lev < 0) return false; diff --git a/src/mangosd/CliRunnable.cpp b/src/mangosd/CliRunnable.cpp index 69b289f39..7575b0dad 100644 --- a/src/mangosd/CliRunnable.cpp +++ b/src/mangosd/CliRunnable.cpp @@ -80,19 +80,10 @@ bool ChatHandler::HandleAccountDeleteCommand(const char* args) } /// Commands not recommended call from chat, but support anyway - if(m_session) - { - uint32 targetSecurity = accmgr.GetSecurity(account_id); - - /// can delete only for account with less security - /// This is also reject self apply in fact - if (targetSecurity >= m_session->GetSecurity()) - { - SendSysMessage (LANG_YOURS_SECURITY_IS_LOW); - SetSentErrorMessage (true); - return false; - } - } + /// can delete only for account with less security + /// This is also reject self apply in fact + if(HasLowerSecurityAccount (NULL,account_id,true)) + return false; AccountOpResult result = accmgr.DeleteAccount(account_id); switch(result) diff --git a/src/shared/revision_nr.h b/src/shared/revision_nr.h index 416d1c8f1..8bdff3b61 100644 --- a/src/shared/revision_nr.h +++ b/src/shared/revision_nr.h @@ -1,4 +1,4 @@ #ifndef __REVISION_NR_H__ #define __REVISION_NR_H__ - #define REVISION_NR "7045" + #define REVISION_NR "7046" #endif // __REVISION_NR_H__