Check out Balbo's Chess, our featured variant for October, 2024.


[ Help | Earliest Comments | Latest Comments ]
[ List All Subjects of Discussion | Create New Subject of Discussion ]
[ List Earliest Comments Only For Pages | Games | Rated Pages | Rated Games | Subjects of Discussion ]

Single Comment

Programming Piece Movement in Game Courier. A tutorial on two different ways to program piece movement in Game Courier.[All Comments] [Add Comment or Rating]
🕸📝Fergus Duniho wrote on Thu, Nov 9, 2023 06:08 PM UTC in reply to Fergus Duniho from 05:05 PM:

As a second test, I created stingmovetest3, and on loading it into an editor, I saw that $author was set to my userid.

As a third test, I saved a modified copy as stingmovetest4 without a userid, and it allowed it.

As a fourth test, I modified it again and saved it with my userid. This time, my userid showed up as the value of $author.

As a fifth test, I modified stingmovetest2 and tried to save it without being signed in. This was not allowed, which is good, because it should not be allowed.

As a sixth test, I signed into a spare account I use for testing, and I tried saving a modified stingmovetest2. My modification went through, and $author is still set to the empty string.

So, it appears there is a security hole in Game Courier. It is possible to create a settings file with an empty Userid, and then anyone who is signed in can edit it. It was probably empty, because I updated the settings file before saving it, and updating it clears the Userid field from the form. Not noticing this, I apparently saved it with any empty value for $author, and not realizing it wasn't his own settings file, Adam edited it without entering his own userid.

I addressed this by filling in the $userid value from the SESSION variable when someone is already signed in. This stops someone from creating a settings file with an empty userid, but it does allow someone to steal a settings file that already has an empty value for $author.