Chat on our Discord Server
Get the latest version: 3.2Source Code
| Anonymous | Login | Signup for a new account | 2025-06-17 17:24 UTC |  |
| My View | View Issues | Change Log | Roadmap | All Projects Issue Support Ranking | Rules | My Account |
| View Revisions: Issue #1426 | [ All Revisions ] [ Back to Issue ] | ||
| Summary | 0001426: Make ConsoleCommand whitelist-based | ||
| Revision | 2013-07-23 12:09 by Dusk | ||
| Description | In light of all these exploits and abuse going about, I thought I'd put this on the table: Make ConsoleCommand whitelist-based. Instead of blacklisting the bad commands, white-list the ones we want ConsoleCommand to use until we're ready to cut it off. It'd be at least a partial fix to this security issue. Further it'd also give us a list of stuff we need to allow ACS to do before we can finally say bye bye to ConsoleCommand - while we patch the use cases, we could prevent new ones from arising. I'm not too sure exactly what ones need to be set. Also I'd suggest changing the new cvar flag to CVAR_ALLOWSETBYACS or something like that to do the same whitelisting to cvars. |
||
| Revision | 2013-07-22 23:51 by Dusk | ||
| Description | In light of recent events of exploits and abuse, I thought I'd put this on the table: Make ConsoleCommand whitelist-based. Instead of blacklisting the bad commands, white-list the ones we want ConsoleCommand to use until we're ready to cut it off. It'd be at least a partial fix to this security issue. Further it'd also give us a list of stuff we need to allow ACS to do before we can finally say bye bye to ConsoleCommand - while we patch the use cases, we could prevent new ones from arising. I'm not too sure exactly what ones need to be set. Also I'd suggest changing the new cvar flag to CVAR_ALLOWSETBYACS or something like that to do the same whitelisting to cvars. |
||
| Revision | 2013-07-22 23:50 by Dusk | ||
| Description | In light of recent events of exploits and abuse, I'm becoming more and more convinced this would be a good idea. Make ConsoleCommand whitelist-based. Instead of blacklisting the bad commands, white-list the ones we want ConsoleCommand to use... for now. It'd be at least a partial fix to this number one security issue. Further it'd also give us a list of stuff we need to allow ACS to do before we can finally say bye bye to ConsoleCommand - while we patch the use cases, we could prevent new ones from arising. I'm not too sure exactly what ones need to be set. Also I'd suggest changing the new cvar flag to CVAR_ALLOWSETBYACS or something like that to do the same whitelisting to cvars. |
||
| Copyright © 2000 - 2025 MantisBT Team |
 |
ZDoom
Doom Wiki
id Software
Doomworld
Odamex
Doomseeker
Internet Doom Explorer
The Sentinel's Playground Servers