Opened 9 years ago
Last modified 8 years ago
#3552 closed defect
Prohibit sending commands for other players in rated games — at Version 1
Reported by: | elexis | Owned by: | |
---|---|---|---|
Priority: | Release Blocker | Milestone: | |
Component: | Core engine | Keywords: | patch |
Cc: | Patch: |
Description (last modified by )
Problem: Malicious users can send commands for other players in rated games.
This can be accomplished by abusing the developer overlay. It can be opened in rated games using one of the bugs (#3547, #3550, likely others) or by removing one check.
Release-blocker as it has been abused way too often by script-kiddies using proxies and making new accounts after being banned.
Implementation:
- Defending against malicious clients/players: For rated games, the server must ignore commands for players that don't correspond to the client that sent them.
According to #3155, sending commands for other players without having cheats enabled should be allowed. That's why we check for rated games instead of cheats.
- Defending against a malicious server (i.e. a host with a modified
NetServer.cpp
) is impossible without either using public/private-key crypto (and requiring everone to validate their public keys outside of 0 A.D.) or switching to a a p2p structure. Surely won't be addressed in this ticket.
Change History (2)
comment:1 by , 9 years ago
Description: | modified (diff) |
---|
by , 9 years ago
Attachment: | t3552_prevent_commands_for_others_in_rated_games_v1.patch added |
---|
Note:
See TracTickets
for help on using tickets.