+2010-08-05 Daigo Moriwaki <daigo at debian dot org>
+
+ * [shogi-server]
+ - shogi_server/command.rb: Prevent a possible password from be
+ logged in a log file when players send invalid LOGIN-like commands.
+ Thanks to Tomoyuki Kaneko for this idea.
+
2010-08-03 Daigo Moriwaki <daigo at debian dot org>
* [shogi-server]
class ErrorCommand < Command
def initialize(str, player)
super
+ @msg = nil
end
+ attr_reader :msg
def call
- msg = "##[ERROR] unknown command %s\n" % [@str.chomp]
- @player.write_safe(msg)
- log_error(msg)
+ cmd = @str.chomp
+ # Aim to hide a possible password
+ cmd.gsub!(/LOGIN\s*(\w+)\s+.*/i, 'LOGIN \1...')
+ @msg = "##[ERROR] unknown command %s\n" % [cmd]
+ @player.write_safe(@msg)
+ log_error(@msg)
return :continue
end
end
def test_error
cmd = ShogiServer::Command.factory("should_be_error", @p)
assert_instance_of(ShogiServer::ErrorCommand, cmd)
+ cmd.call
+ assert_match /unknown command should_be_error/, cmd.msg
+ end
+
+ def test_error_login
+ cmd = ShogiServer::Command.factory("LOGIN hoge foo", @p)
+ assert_instance_of(ShogiServer::ErrorCommand, cmd)
+ cmd.call
+ assert_no_match /unknown command LOGIN hoge foo/, cmd.msg
+
+ cmd = ShogiServer::Command.factory("LOGin hoge foo", @p)
+ assert_instance_of(ShogiServer::ErrorCommand, cmd)
+ cmd.call
+ assert_no_match /unknown command LOGIN hoge foo/, cmd.msg
+
+ cmd = ShogiServer::Command.factory("LOGIN hoge foo", @p)
+ assert_instance_of(ShogiServer::ErrorCommand, cmd)
+ cmd.call
+ assert_no_match /unknown command LOGIN hoge foo/, cmd.msg
+
+ cmd = ShogiServer::Command.factory("LOGINhoge foo", @p)
+ assert_instance_of(ShogiServer::ErrorCommand, cmd)
+ cmd.call
+ assert_no_match /unknown command LOGIN hoge foo/, cmd.msg
end
end