Opened 9 years ago
Last modified 8 years ago
#3552 closed defect
Prohibit sending commands for other players in rated games — at Initial Version
Reported by: | elexis | Owned by: | |
---|---|---|---|
Priority: | Release Blocker | Milestone: | |
Component: | Core engine | Keywords: | patch |
Cc: | Patch: |
Description
Problem: Malicious users can send commands for other players in rated games.
This can be accomplished by abusing the developer overlay, which can be opened in rated games using one of the bugs (#3547, #3550, likely others) or by removing one check.
Release blocker as it has been abused way too often by script-kiddies using proxies and making new accounts after being banned.
Implementation:
- Defending against malicious clients/players: For rated games, the server must ignore commands for players that don't correspond to the client that sent them.
- Defending against a malicious server (i.e. a host with a modified
NetServer.cpp
) is impossible without using public/private-key crypto (or a p2p structure instead). Surely won't be addressed in this ticket.
According to #3155 sending commands for other players without having cheats enabled should be allowed. That's why we check for rated games instead, where it shouldn't be possible (according to that javascript check).
Note:
See TracTickets
for help on using tickets.