jifunks / botany

command line virtual plant buddy
ISC License
438 stars 32 forks source link

Malicious visitors could kill a well-watered plant #33

Closed jmdejong closed 3 years ago

jmdejong commented 4 years ago

Although it is not really possible to prevent malicious users from removing the visitors, even if you water your own plant every day a malicious user could kill it.

Botany checks whether a plant is alive by checking if there is a difference in timestamps from all the waterings that is larger than 5 days. A malicious user could create a timestamp in the past that is more than 5 days before the last time the user watered their own plant. When the user then opens botany the plant will be killed.

A simple fix would be to discard all visitor timestamps that are before the last watered timestamp of the user themself (just like timestamps in the future are discarded).