Opened 8 years ago
Last modified 5 years ago
#3923 new enhancement
Client-side detection of serverside command-injection
| Reported by: | elexis | Owned by: | |
|---|---|---|---|
| Priority: | If Time Permits | Milestone: | Backlog |
| Component: | Network | Keywords: | |
| Cc: | Patch: |
Description (last modified by )
r17170 (#2676) made the server reject commands for player X if they were sent by player Y (if cheats were disabled).
As suggested by sanderd17, the client should check if the server sent a command for him that the client didn't send (if cheats were disabled).
While r17170 (and the dupe of that ticket #3552) was about preventing acute abuse of the developer overlay, this ticket deals with a theoretical (yet unused) attack vector, where the NetServer code was modified to add commands which were not authorized by the original player.
Once such a command is detected, an error, message box or chatmessage should be shown. The command should still be executed so as not to become OOS (since being OOS is worse than ending the game immediately).
Change History (4)
comment:1 by , 8 years ago
comment:3 by , 8 years ago
Should also check for completeness, i.e. all commands queued should also be returned by the server.
comment:4 by , 5 years ago
| Description: | modified (diff) |
|---|
Gamesetup serverside simulation setting injection described in #4463.
Notice the client could also ignore all commands for his own player sent by the server. But it is likely going to end in several OOS problems (different order of commands) and also wouldn't work for games that have cheats enabled, where other clients can send commands.