Opened 8 years ago
Last modified 7 years ago
#3551 closed defect
Prohibit developer overlay cheats in rated games — at Initial Version
| Reported by: | elexis | Owned by: | |
|---|---|---|---|
| Priority: | Release Blocker | Milestone: | Alpha 22 |
| Component: | UI & Simulation | Keywords: | patch, beta |
| Cc: | Patch: |
Description
Problem: There are some bugs which can be abused to enable the developer overlay in rated games (#3547, #3550 and likely others). As long as we only use a client-side check to disable the developer overlay, users can just remove that and abuse the feature. Should be a release blocker as it has been abused way too often by people using proxies and making new accounts after being banned.
What needs to be done:
- We have to prohibit the worst effects of the dev overlay in the simulation. These are:
- Control all units (cheat)
- Reveal map (cheat)
- Promote units (cheat)
- Sending commands for other players (change perspective, to be done in another ticket as it involves the server)
I.e. we should not execute developer overlay cheats in the simulation code if the game is rated.
- Furthermore unadulterated clients should display a warning message stating that this user attempted to cheat.
Why prohibiting cheats can be done securely: Those three developer overlay cheats should not be executed if ratings are enabled. If a malicious player (no matter if host or client) will remove that check, the game will become out-of-sync instantaneously and only the malicious user will execute cheat. Thus the malicious user will not be able to participate anymore in that game.
Why we can't prohibit the actual overlays: I don't see a way how to securely remove the prohibiting of the actual overlays (like the pathfinder overlay). This is local code, thus it can always be replicated/reverted after an attempted fix. The damage of those overlays is limited to revealing the map, which will always be possible for malicious clients.
How to implement: (Probably about 20 lines)
- Add the check: The commands available in the simulation, including those three cheats are coded in
Commands.jsand reside in thecommandsvariable:"reveal-map": function(player, cmd, data) { // Reveal the map for all players, not just the current player, // primarily to make it obvious to everyone that the player is cheating var cmpRangeManager = Engine.QueryInterface(SYSTEM_ENTITY, IID_RangeManager); cmpRangeManager.SetLosRevealAll(-1, cmd.enable); }, "promote": function(player, cmd, data) { // No need to do checks here since this is a cheat anyway var cmpGuiInterface = Engine.QueryInterface(SYSTEM_ENTITY, IID_GuiInterface); cmpGuiInterface.PushNotification({"type": "chat", "players": [player], "message": "(Cheat - promoted units)"}); for each (var ent in cmd.entities) { var cmpPromotion = Engine.QueryInterface(ent, IID_Promotion); if (cmpPromotion) cmpPromotion.IncreaseXp(cmpPromotion.GetRequiredXp() - cmpPromotion.GetCurrentXp()); } }, "control-all": function(player, cmd, data) { data.cmpPlayer.SetControlAllUnits(cmd.flag); },
Notice the regular cheats are executed in
Cheats.jsand there we prohibit the cheat securely by checkingif (!cmpPlayer.GetCheatsEnabled()). For those three developer overlay cheats we need to check if ratings are enabled.
- Show the cheat notification: If ratings are disabled and the cheat was attempted to be executed, we should display the notification. It must be sent similar to the chat simulation command:
"chat": function(player, cmd, data) { var cmpGuiInterface = Engine.QueryInterface(SYSTEM_ENTITY, IID_GuiInterface); cmpGuiInterface.PushNotification({"type": cmd.type, "players": [player], "message": cmd.message}); },A new notification type has to be added tog_NotificationsTypesinmessages.js. It should display a message box. Find examples in the code by searching formessageBox. (Please test if having two message boxes simultaneously causes trouble, as we might get a second one due to the resulting out-of-sync in that case).
