search

C0nw0nk / Garrys-Mod-Family-Sharing

Prevent players bypassing existing bans on Garrys Mod Servers via steam family sharing / shared accounts or buying a new GMod. Banned messages and banning lengths configurable with lots of extra useful custom features such as a ban tracker / tracking. This script is guaranteed to make players regret receiving a ban from your server in GarrysMod / GarryMod / Garry'sMod / Garry's Mod / G Mod / G-Mod familysharing alts / alternative are a thing of the past. familysharing / familyshared checks / checker / checked / checking. lua script addon addons
http://www.networkflare.com/
Other
34 stars 12 forks source link

Why is the settings Clientside? #9

Closed X-Rubick closed 6 years ago

X-Rubick commented 6 years ago

https://github.com/C0nw0nk/Garrys-Mod-Family-Sharing/blob/master/garrysmod/lua/autorun/familysharing.lua#L17

People could just be stealing your API if they dumped the server with scripthook or any other stuff, what's the fucking point?

C0nw0nk commented 6 years ago

Only these lines are CLIENT side code that the CLIENT will have access to. (Clients can't see your API key test yourself since that is SERVER side code)

https://github.com/C0nw0nk/Garrys-Mod-Family-Sharing/blob/master/garrysmod/lua/autorun/familysharing.lua#L76-L92

https://github.com/C0nw0nk/Garrys-Mod-Family-Sharing/blob/master/garrysmod/lua/autorun/familysharing.lua#L415-L455

Now you say if people dump the server with a script hook then your security is shit and you should look to improving that. But they can't access SERVER sided code without hacking the server first.

That is why you have SERVER and CLIENT in the first place.

SERVER sided code like the API Key stays SERVER side can only be accessed used and read by SERVER sided scripts not CLIENTS nor people who connect to the server. (Unless they hack your server somehow)

They also can not do anything with the API key regardless so it is pointless the API key is used to read information from Steam as seen here ( https://steamcommunity.com/dev ) It is nothing special and they can't modify or change / touch it nor can they stop it.

Not an issue nor a security issue with script locking.

Phoenixf129 commented 6 years ago

Hey, you're totally wrong.

Do you know how the client, shared and server states work? You're currently using the shared realm, which means you're sending the whole file to the client, regardless of whether it's wrapped in an "if SERVER block". The client just skips over the blocks.

This should be common sense. Do you not know how AddCSLuaFile() works? Why the hell are all your variables globals? This is a mess.

You can do many things with a steam api key, including abusing it so the account gets limited.

Please fix your code.

C0nw0nk commented 6 years ago

Like I wrote on the readme page you are all more than welcome to make modifications and make a pull request.

I do not play Garry's mod but if you make a pull request and I see you have split the code into two files one for the client folder and one for the server folder removing it from shared then i will push it to the main repo as an update.

You are more than welcome to fix and tidy it as you see fit. It is a old project now and the last modification I made was years ago when I actually played the game. But feel free to continue on where I left of and improve it as you see fit. Just drop a comment here when ever you made changes I shall check back and push it to the main repo when I get time.