Example: "shop made item" onCommand often accept any string from params (string name = params.read_string();), this can (and has) be exploited to spawn any item using 3rd party tools.
Solution:
Shop cmd should check to see if the user has actually paid for the item
Depending on the shop, have a list of 'allowed' blobs
Should log (with tcpr) who's spawned what blob with shop cmd
Example: "shop made item" onCommand often accept any string from params (
string name = params.read_string();
), this can (and has) be exploited to spawn any item using 3rd party tools.Solution: Shop cmd should check to see if the user has actually paid for the item Depending on the shop, have a list of 'allowed' blobs Should log (with tcpr) who's spawned what blob with shop cmd