Anonymous | Login | Signup for a new account | 2024-04-23 06:46 UTC |
My View | View Issues | Change Log | Roadmap | Zandronum Issue Support Ranking | Rules | My Account |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
0002120 | Zandronum | [All Projects] Bug | public | 2015-03-08 01:00 | 2015-03-08 04:51 | ||||||||
Reporter | haxmurderer | ||||||||||||
Assigned To | |||||||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||||||
Status | new | Resolution | open | ||||||||||
Platform | Microsoft | OS | Windows | OS Version | XP/Vista/7 | ||||||||
Product Version | 1.3 | ||||||||||||
Target Version | Fixed in Version | ||||||||||||
Summary | 0002120: Persistent inventory / DB is always exploitable due to design limitations | ||||||||||||
Description | Hi guys, In Survivalism, I've had persistent inventory running pretty much since Zandronum 1.3 came out, and the basics have been working great. There's dozens of players who have persistent inventory on my server and have been playing for months. One major problem that I can't figure out is how to prevent this exploit: A player saves their inventory in-game, drops a bunch of items, reconnects, and then reloads their inventory. They now have all their old inventory plus the items they dropped. I thought the solution would be to save the player's inventory in a DISCONNECT script, but the ZDoom wiki says, "Because the player has already left the game by the time this script is called, no actions can be taken on that player", therefore this solution won't work. If we changed the behaviour of DISCONNECT to allow access to the player momentarily, I'd be able to solve my problem. I can't think of any other way around this. I believe we have to change something in Zandronum to fix this exploit. It's more important to me now because I've added an XP and leveling system to Survivalism that's also persistent. Any ideas? Thanks! | ||||||||||||
Steps To Reproduce | Do a thought experiment: A player saves their inventory in-game to the DB, drops a bunch of items, reconnects, and then loads their inventory from the DB. They now have all their old inventory plus the items they dropped. | ||||||||||||
Attached Files | |||||||||||||
Notes | |
(0011782) Hypnotoad (reporter) 2015-03-08 02:56 |
I assume you're also using the accounts system. To write info associated with player accounts when they disconnect: store the account name of each player temporarily in a new namespace in the DB on join, with their player number as the key name. Then, on the disconnect script, simply use the player number that's passed to access the account name from the temp account names namespace, and write whatever you need to the database using this name. But are you sure you can't just update the database every time a player drops their inventory? |
Only registered users can voice their support. Click here to register, or here to log in. | |
Supporters: | ZzZombo |
Opponents: | No one explicitly opposes this issue yet. |
Issue History | |||
Date Modified | Username | Field | Change |
2015-03-08 01:00 | haxmurderer | New Issue | |
2015-03-08 02:56 | Hypnotoad | Note Added: 0011782 |
Copyright © 2000 - 2024 MantisBT Team |