playermanager and GetPlayersFromString

xyzelt commented 1 week ago

Targeting groups supercede check of player's name. If an malicious player have name like one of targeting groups will not be selected. There are flags to avoid some command but i think is not enough. For example to kick a player with name @random there are big chance to kick someone else.

My sugestion is

not return ETargetError::NO_ERRORS at if (nType == ETargetType::SELF)

before last return iNumClients ? ETargetError::NO_ERRORS : ETargetError::INVALID check if there are an player with that name and add to rgiClients to include them in that command. Something like this

if (!V_strncmp(pszTarget, "@",1)){ for (int i = 0; i < gpGlobals->maxClients; i++) { if (m_vecPlayers[i] == nullptr) continue;

    CCSPlayerController* pTarget = CCSPlayerController::FromSlot(i);

    if (!pTarget || !pTarget->IsController() || !pTarget->IsConnected() || pTarget->m_bIsHLTV)
        continue;

    if (!V_strcmp(pTarget->GetPlayerName(), pszTarget))
    {
        ETargetError eType = GetTargetError(pPlayer, pTarget, iBlockedFlags);
        if (eType == ETargetError::NO_ERRORS)
        {
            rgiClients[iNumClients++] = i;
        }
    }
}

}

Vauff commented 1 week ago

You can use the & prefix to force an exact name lookup when required, e.g. !kick &@random.

xyzelt commented 1 week ago

I know that, but if there are an hurried admin who don't know about targeting groups someone else are hurt...

Source2ZE / CS2Fixes

playermanager and GetPlayersFromString #326