id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	phab_field
3923	Client-side detection of serverside command-injection	elexis		"r17170 (#2676) made the server reject commands for player X if they were sent by player Y (if cheats were disabled).

As suggested by sanderd17, the client should check if the server sent a command for him that the client didn't send (if cheats were disabled).

While r17170 (and the dupe of that ticket #3552) was about preventing acute abuse of the developer overlay, this ticket deals with a theoretical (yet unused) attack vector, where the `NetServer` code was modified to add commands which were not authorized by the original player.

Once such a command is detected, an error, message box or chatmessage should be shown. The command should still be executed so as not to become OOS (since being OOS is worse than ending the game immediately).
"	enhancement	new	If Time Permits	Backlog	Core engine