Up to Main Index Up to Journal for April, 2022 JOURNAL FOR SUNDAY 17TH APRIL, 2022 ______________________________________________________________________________ SUBJECT: WolfMUD v0.0.19-beta.6 released (Security update) DATE: Sun 17 Apr 20:31:02 BST 2022 The sixth beta snapshot is now available for download[1]. This beta contains an important fix for a potential DOS attack. All users of previous betas are urged to update. All previous betas have been retired to the attic. The beta was built using Go 1.17.9, not Go 1.18.1. The patch[2] for Go issue #51776[3] was not included in 1.18.1, but it is scheduled 1.18.2[4]. This release includes downloads for ARM64, suitable for Raspberry Pi 3 and 4 running 64-bit Raspberry Pi OS. This is still experimental and untested[5]. This beta includes player selectable prompt styles via a new /PROMPT command. New player command history and command recall. The command history can be displayed using /HISTORY or ‘/!’, commands can be recalled using ‘!’, ‘!!’ or ‘!!!’. Administrators can now be setup using permissions — see ADMINISTRATORS section in running-the-server.txt for details. Players can no longer directly execute scripting commands. Plus many more bug fixes and improvements. Apologies if this release seems a little rushed. Another beta was not planned, due to the security fix it felt prudent to quickly release another beta rather than hold on and wait for v0.0.19 :( Plus, I need to test the new ARM64 builds properly before the release of v0.0.19. Main highlights from the release notes: Security - Limit input data from client (potential DOS attack mitigation). Currently no limits are put on the length of a command a player can send to the server. As the input is stored in a []byte buffer, a malicious client could cause the buffer to consume a lot of the memory. This could be used as a DOS attack - this has not been seen in the wild and has not actually been exploitable during testing. The server now limits the size of the input accepted by the server. If a client sends a command longer than the limit to the server then all of the input is discarded and the message "You type too much!" is sent to the client. The current input limit is 80 bytes. Added - New /PROMPT player command to check, list and change prompts. - New core/state.Script method for executing scripting commands outside of the core package. - Per-player permissions can be set via a new Permissions field in the player header record. Currently permissions can be 'ADMIN' or a specific admin command. Admin commands are those prefixed with a hash '#'. Details for setting up administrators added to docs/running-the-server.txt - Player command history and recall for up to three commands added. The last three commands can be listed using '/HISTORY' or the abbreviation '/!'. The last three commands can be repeated using '!', '!!' and '!!!' respectively. - ARM64 built target added to makefiles and release builds. - New data/zones/quiet.wrj zone for testing in isolation, defaults disabled. Changed - The player's prompt is now selectable and perists in the player file. The available prompts are: NONE, CURSOR, BRIEF, SHORT, LONG. - The Debug.AllowDump and Debug.AllowDebug options have been dropped from the server configuration and have been replaced by per-player permissions. - The #DUMP/#LDUMP commands now show Int values as data/time or durations where appropriate. - In data/zones/zinara.wrj make curious brass lattice a little more curious. Fixed - Health events are now registered for mobiles / NPCs when they are loaded, if they need healing. - Health events are now registered for mobiles / NPCs when they are junked, if they need healing. - Events for anything junked are now suspended and resumed if a reset occurs, as opposed to the thing being disposed of. - The "... kills you ..." message from the HIT command correctly upper-cases then name of what kills you. - Players can no longer directly execute scripting commands with a dollar '$' prefix. - OnAction fixed for ugly imp in data/zones/zinara_caves.wrj - Store player created date in Thing.Int[CREATED] as nanoseconds. - Event dueAt timestamp now shown in UTC to match server logging. - Don't log player connects and disconnects if not logging client IP address. - Log when a player quits - either willingly or unwillingly (due to errors). - In data/zones/reset.wrj drop invalid O9 reference and add item clean-up. -- Diddymus [1] Download area: ../../../downloads/ [2] runtime: align m.procid to 8 bytes on 32-bit systems https://go-review.googlesource.com/c/go/+/399754/ [3] Go Issue #51776: https://github.com/golang/go/issues/51776 [4] https://github.com/golang/go/issues/52305 [5] I have managed to place an order for a Raspberry Pi 4 8Gb, waiting for it to be delivered. This Pi is for all my ARM64 work, including WolfMUD. Up to Main Index Up to Journal for April, 2022