id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,phab_field
3923,Client-side detection of serverside command-injection,elexis,,"r17170 (#2676) made the server reject commands for player X if they were sent by player Y (if cheats were disabled).

As suggested by sanderd17, the client should check if the server sent a command for him that the client didn't send (if cheats were disabled).

While r17170 (and the dupe of that ticket #3552) was about preventing acute abuse of the developer overlay, this ticket deals with a theoretical (yet unused) attack vector, where the `NetServer` code was modified to add commands which were not authorized by the original player.

Once such a command is detected, an error, message box or chatmessage should be shown. The command should still be executed so as not to become OOS (since being OOS is worse than ending the game immediately).
",enhancement,new,If Time Permits,Backlog,Network,,,,