From f38782e300d2054be086ea007ab07c04e06e7d2f Mon Sep 17 00:00:00 2001 From: Markolie Date: Tue, 11 Nov 2014 00:48:15 +0100 Subject: [PATCH] Porting over fix for HTML injection exploit from /tg/ --- code/game/gamemodes/nuclear/nuclearbomb.dm | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/code/game/gamemodes/nuclear/nuclearbomb.dm b/code/game/gamemodes/nuclear/nuclearbomb.dm index 6b65d71e0c4..f8ed8a25e53 100644 --- a/code/game/gamemodes/nuclear/nuclearbomb.dm +++ b/code/game/gamemodes/nuclear/nuclearbomb.dm @@ -22,6 +22,7 @@ var/bomb_set var/safety_wire var/timing_wire var/removal_stage = 0 // 0 is no removal, 1 is covers removed, 2 is covers open, 3 is sealant open, 4 is unwrenched, 5 is removed from bolts. + var/lastentered var/data[0] var/uiwidth var/uiheight @@ -321,9 +322,15 @@ obj/machinery/nuclearbomb/proc/nukehack_win(mob/user as mob) src.yes_code = 0 src.code = null else - src.code += text("[]", href_list["type"]) - if (length(src.code) > 5) - src.code = "ERROR" + lastentered = text("[]", href_list["type"]) + if (text2num(lastentered) == null) + var/turf/LOC = get_turf(usr) + message_admins("[key_name_admin(usr)] tried to exploit a nuclear bomb by entering non-numerical codes: [lastentered] ! ([LOC ? "JMP" : "null"])", 0) + log_admin("EXPLOIT : [key_name(usr)] tried to exploit a nuclear bomb by entering non-numerical codes: [lastentered] !") + else + src.code += lastentered + if (length(src.code) > 5) + src.code = "ERROR" if (src.yes_code) if (href_list["time"]) var/time = text2num(href_list["time"])