id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,phab_field
3552,Prohibit sending commands for other players in rated games,elexis,,"'''Problem:''' Malicious users can send commands for other players in rated games.

This can be accomplished by abusing the developer overlay, which can be opened in rated games using one of the bugs (#3547, #3550, likely others) or by removing one check.

Release blocker as it has been abused way too often by script-kiddies using proxies and making new accounts after being banned.

'''Implementation:'''
* Defending against malicious clients/players: For rated games, the server must ignore commands for players that don't correspond to the client that sent them.
* Defending against a malicious server (i.e. a host with a modified `NetServer.cpp`) is impossible without using public/private-key crypto (or a p2p structure instead). Surely won't be addressed in this ticket.

According to #3155 sending commands for other players without having cheats enabled should be allowed. That's why we check for rated games instead, where it shouldn't be possible (according to that javascript check).",defect,new,Release Blocker,Backlog,Core engine,,,,