Opened 9 years ago
Closed 8 years ago
#3552 closed defect (duplicate)
[PATCH] Prohibit sending commands for other players in rated games
| Reported by: | elexis | Owned by: | |
|---|---|---|---|
| Priority: | Release Blocker | Milestone: | |
| Component: | Core engine | Keywords: | patch |
| Cc: | Patch: |
Description (last modified by )
Problem: Malicious users can send commands for other players in rated games.
This can be accomplished by abusing the developer overlay. It can be opened in rated games using one of the bugs (#3547, #3550, likely others) or by removing one check.
Release-blocker as it has been abused way too often by script-kiddies using proxies and making new accounts after being banned.
Implementation:
- Defending against malicious clients/players: For rated games, the server must ignore commands for players that don't correspond to the client that sent them.
According to #3155, sending commands for other players without having cheats enabled should be allowed. That's why we check for rated games instead of cheats.
- Defending against a malicious server (i.e. a host with a modified
NetServer.cpp) is impossible without either using public/private-key crypto (and requiring everone to validate their public keys outside of 0 A.D.) or switching to a a p2p structure. Surely won't be addressed in this ticket.
Attachments (2)
Change History (11)
comment:1 by , 9 years ago
| Description: | modified (diff) |
|---|
by , 9 years ago
| Attachment: | t3552_prevent_commands_for_others_in_rated_games_v1.patch added |
|---|
comment:2 by , 9 years ago
| Keywords: | patch review added |
|---|---|
| Milestone: | Backlog → Alpha 19 |
| Summary: | Prohibit sending commands for other players in rated games → [PATCH] Prohibit sending commands for other players in rated games |
comment:3 by , 9 years ago
comment:4 by , 9 years ago
Hotfix for a18.
Same as attachment:visual_replay_a18_megapatch.patch:ticket:9, but implements #3551 and #3552 for hosting to autoban players who attempt to use the developer overlay or send fake chat, no matter if the game is rated or not.
follow-up: 7 comment:5 by , 9 years ago
| Keywords: | review removed |
|---|
That patch contains way too many different changes and is not really reviewable. I saw code in there to limit the FPS in menus, and that is certainly not relevant here. Please break the patch down into separate tickets which can be added independently and then block this ticket on them.
comment:6 by , 9 years ago
Optionally, a hard kill of the developer overlay and console for release may work short-term. (physically remove the supporting code)
comment:7 by , 9 years ago
| Keywords: | review added |
|---|
Replying to Josh:
That patch contains way too many different changes and is not really reviewable. I saw code in there to limit the FPS in menus, and that is certainly not relevant here. Please break the patch down into separate tickets which can be added independently and then block this ticket on them.
Sorry this patch is for alpha 18 and is not the one to be reviewed for this ticket!!!
You shall review this attachment:t3552_prevent_commands_for_others_in_rated_games_v1.patch
comment:8 by , 8 years ago
Partial dupe of #2676. Also only doing so for rated games seems like the wrong approach IMO.
comment:9 by , 8 years ago
| Keywords: | review removed |
|---|---|
| Milestone: | Alpha 19 |
| Resolution: | → duplicate |
| Status: | new → closed |
Complete duplicate of #2676 actually.
This patch should prohibit the sending of all simulation commands for other players, which include: