id summary reporter owner description type status priority milestone component resolution keywords cc phab_field 3552 [PATCH] Prohibit sending commands for other players in rated games elexis "'''Problem:''' Malicious users can send commands for other players in rated games. This can be accomplished by abusing the developer overlay. It can be opened in rated games using one of the bugs (#3547, #3550, likely others) or by removing one check. Release-blocker as it has been abused way too often by script-kiddies using proxies and making new accounts after being banned. '''Implementation:''' * Defending against malicious clients/players: For rated games, '''the server must ignore commands for players that don't correspond to the client that sent them'''. {{{ #!div style=""font-size: 80%"" According to #3155, sending commands for other players without having cheats enabled should be allowed. That's why we check for rated games instead of cheats. }}} * Defending against a malicious server (i.e. a host with a modified `NetServer.cpp`) is '''impossible''' without either using public/private-key crypto (and requiring everone to validate their public keys outside of 0 A.D.) or switching to a a p2p structure. Surely won't be addressed in this ticket." defect closed Release Blocker Core engine duplicate patch