MantisBT - Zandronum |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0002528 | Zandronum | [All Projects] Suggestion | public | 2015-11-18 22:06 | 2018-09-30 22:05 |
|
| Reporter | WaTaKiD | |
| Assigned To | Dusk | |
| Priority | high | Severity | exploit | Reproducibility | N/A |
| Status | closed | Resolution | fixed | |
| Platform | Microsoft | OS | Windows | OS Version | XP/Vista/7 |
| Product Version | | |
| Target Version | 2.2 | Fixed in Version | 3.0 | |
|
| Summary | 0002528: enforce the drop weapon check serverside |
| Description | <Leonard> ok so there's a time limit and a cooperative check done at the same time but it's clientside only
<Leonard> I guess those need to be enforced on serverside
otherwise a modified client could bypass this and for example: drop weapons and pick up the map placed ones again for more ammo in a dm game, where players using a vanilla client cannot |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2015-11-18 22:06 | WaTaKiD | New Issue | |
| 2015-11-18 22:06 | WaTaKiD | Description Updated | bug_revision_view_page.php?rev_id=8248#r8248 |
| 2016-02-07 18:57 | Dusk | Severity | minor => exploit |
| 2016-02-07 20:33 | Leonard | Note Added: 0014388 | |
| 2016-02-07 21:06 | Torr Samaho | Note Added: 0014390 | |
| 2016-02-08 04:16 | WaTaKiD | Note Added: 0014392 | |
| 2016-02-08 07:31 | DrinkyBird | Note Added: 0014393 | |
| 2016-02-08 10:04 | DrinkyBird | Note Edited: 0014393 | bug_revision_view_page.php?bugnote_id=14393#r8685 |
| 2016-02-08 11:45 | WaTaKiD | Note Added: 0014394 | |
| 2016-02-08 12:09 | Dusk | Assigned To | => Dusk |
| 2016-02-08 12:09 | Dusk | Status | new => assigned |
| 2016-02-08 12:20 | WaTaKiD | Note Edited: 0014394 | bug_revision_view_page.php?bugnote_id=14394#r8687 |
| 2016-02-10 15:14 | Dusk | Note Added: 0014414 | |
| 2016-02-10 15:14 | Dusk | Status | assigned => needs review |
| 2016-02-10 15:14 | Dusk | Priority | normal => high |
| 2016-02-10 20:14 | cobalt | Status | needs review => needs testing |
| 2016-02-10 20:14 | cobalt | Target Version | => 2.2 |
| 2016-02-10 20:14 | cobalt | Description Updated | bug_revision_view_page.php?rev_id=8715#r8715 |
| 2016-02-10 20:14 | cobalt | Note Added: 0014417 | |
| 2016-02-10 20:14 | cobalt | Note Added: 0014418 | |
| 2016-03-01 22:35 | WaTaKiD | Note Added: 0014532 | |
| 2016-03-01 22:35 | WaTaKiD | Status | needs testing => resolved |
| 2016-03-01 22:35 | WaTaKiD | Resolution | open => fixed |
| 2016-03-01 22:35 | WaTaKiD | Fixed in Version | => 3.0 |
| 2016-03-01 22:35 | WaTaKiD | Description Updated | bug_revision_view_page.php?rev_id=8798#r8798 |
| 2018-09-30 22:05 | Blzut3 | Status | resolved => closed |
|
Notes |
|
|
|
I might add that there's a ton of other checks like that which are only enforced on the clientside..
It's not the first time it happens and someone else already said this on the tracker. |
|
|
|
|
|
For this particular check, I'd think the client side check should simply be dropped. Not allowing dropping in non-coop modes doesn't make much sense now that we have sv_nodrop, which is already enforced on the server. |
|
|
|
|
Leonard: would you please elaborate on the tons of other checks? it'd be appreciated if you would help find and discuss them so as to improve zandronum overall
if u feel that any or all should go into a private note, ticket, or even a pm on the forums or irc, any is fine as long as we can show them to the devs and see what needs adjusting to ensure a better experience in the future |
|
|
|
(0014393)
|
|
DrinkyBird
|
2016-02-08 07:31
(edited on: 2016-02-08 10:04) |
|
I noticed that you don't need a custom client to avoid dropping weapons in competitive game modes, all you need to do is set sv_limitcommands to 0 on the client. sv_nodrop 1 on the server will prevent this, however.
|
|
|
|
(0014394)
|
|
WaTaKiD
|
2016-02-08 11:45
(edited on: 2016-02-08 12:20) |
|
what AOSP says is true, however, sv_limitcommands is definitely not something that was disabled at the time this was found and reported, nor is it something that should be disabled in public servers due to how it can be used to really spam up the place and should instead be used with care like other debugging type commands (developer, sv_cheats, etc)
edit: as i reread AOSP's note, it is infact true that a client can set sv_limitcommands to false and drop weapons, regardless if the server has sv_limitcommands true or false, and that if the server has sv_nodrop set to true, then the client cannot drop a weapon
|
|
|
|
(0014414)
|
|
Dusk
|
|
2016-02-10 15:14
|
|
|
|
|
(0014417)
|
|
cobalt
|
|
2016-02-10 20:14
|
|
|
|
|
(0014418)
|
|
cobalt
|
|
2016-02-10 20:14
|
|
|
|
|
|
tested using 3.0-r160229-1221, as a client i was unable to change sv_limitcommands for myself
also i was able to drop weapons in every gamemode with sv_nodrop 0, and was unable to drop with sv_nodrop 1 |
|