search

JBMod / jbmod

Official bug tracker and request tracker for JBMod
https://www.jbmod.com/
14 stars 1 forks source link

"Slowhacking" is still possible #1

Closed Nafrayu closed 1 year ago

Nafrayu commented 1 year ago

Describe the bug Servers can still execute malicious commands like '+voicerecord', 'unbindall', 'host_writeconfig', 'bind', 'say', 'quit', 'cancelselect' (Can be used to prevent the user from pressing ESC)

To Reproduce Steps to reproduce the behavior:

  1. Have a Server with Metamod/Sourcemod installed
  2. Install this plugin into Sourcemod: https://forums.alliedmods.net/showthread.php?p=513150
  3. Execute this command at the server console: sm_cexec <playername> unbindall

Expected behavior I expect to only be able to execute commands that have the FCVAR_SERVER_CAN_EXECUTE flag set.

edit: From what i see Valve gave us an easy method to fix this, see https://github.com/ValveSoftware/source-sdk-2013/blob/0d8dceea4310fde5706b3ce1c70609d72a38efdf/mp/src/public/cdll_int.h#L486

TEAMJBMOD commented 1 year ago

Thanks! I was putting this off with the intent of making this scriptable, but it probably makes sense to have it off by default for now.

This is fixed in the next release.