gameinfo.txt allows loading of mods

[lDrDooml]

Description

Hi, this has been known for quite some time around the community, adding a directory to gameinfo.txt allowing the loading of mods and bypassing any server-side security methods.

Reproduction steps

Step 1: Create a folder with the name you want within the main game folder.

Step 2: Place the mod you want to install inside the folder you created. Then change the name of the mod to pak01_dir, otherwise it won't work.

Step 3: Open the gameinfo.txt file located in the left4dead2 folder

Step 4: Create a new line in SearchPaths

"GameInfo"
{
    game    "Left 4 Dead 2" // Window title
    type multiplayer_only
    nomodels 1
    nohimodel 1
    l4dcrosshair 1
    hidden_maps
    {
        "test_speakers"         1
        "test_hardware"         1
    }
    nodegraph 0
    perfwizard 0
    SupportsXbox360 1
    SupportsDX8 0
    GameData    "left4dead2.fgd"

    FileSystem
    {
        SteamAppId              550     // This will mount all the GCFs we need (240=CS:S, 220=HL2).
        ToolsAppId              563     // Tools will load this (ie: source SDK caches) to get things like materials\debug, materials\editor, etc.

        //
        // The code that loads this file automatically does a few things here:
        //
        // 1. For each "Game" search path, it adds a "GameBin" path, in <dir>\bin
        // 2. For each "Game" search path, it adds another "Game" path in front of it with _<langage> at the end.
        //    For example: c:\hl2\cstrike on a french machine would get a c:\hl2\cstrike_french path added to it.
        // 3. For the first "Game" search path, it adds a search path called "MOD".
        // 4. For the first "Game" search path, it adds a search path called "DEFAULT_WRITE_PATH".
        //

        //
        // Search paths are relative to the base directory, which is where hl2.exe is found.
        //
        // |gameinfo_path| points at the directory where gameinfo.txt is.
        // We always want to mount that directory relative to gameinfo.txt, so
        // people can mount stuff in c:\mymod, and the main game resources are in
        // someplace like c:\program files\valve\steam\steamapps\<username>\half-life 2.
        //
        SearchPaths
        {
                        Game                myaddon // this is the name of the folder           
                        Game                update
            Game                left4dead2_dlc3
            Game                left4dead2_dlc2
            Game                left4dead2_dlc1
            Game                |gameinfo_path|.
            Game                hl2
        }
    }
}

Step 5: once all the steps have been completed you can play with the mods you want without any restrictions.

Possible solution:

Add gameinfo.txt by default to the whitelist.cfg file (located in the left4dead2 folder) so that it performs checks before entering an official or third-party server. In case the gameinfo.txt does not match the server, the player will be kicked.

Additional files

No response

[NB232]

agreed , this should be top priority IMO, its dumb that some nasty players can still load custom content on competitive gamemodes to gain massive advantages over the rest of players with the excuse of "i just want my favorite mods on versus", knowing that you can literally host a local server to allow mods if thats the case, but right now this method is just so popular on the official server to the point were is just hard to tell which player is legit or either abusing this method to had better "vision" , "less distractions" etc. -no boomer vomit screen. -brighter infecteds -traslucent stuff. -quieter / louder sounds. -bigger models or traslucent models like foliage and stuff

[lDrDooml]

Hi again, days after trying my possible solution I can confirm that it works, if the player has the gameinfo.txt file modified, it does not let him enter the server.

This is what my whitelist.cfg file looks like:

whitelist
{
    //
    // 4 modifiers are allowed on file specifications:
    //
    //  allow_in_coop       - these files can be loaded from addon vpks when in coop mode
    //  allow_in_addon      - these files can be loaded from addon vpks when playing an addon.
    //  check_crc           - these files will always be CRC checked.
    //  check_every_map     - these files will be checked every map
    //

    //
    // Five types of file specifications:
    //
    //  1. directory\*.*            - refers to all files under the directory
    //  2. directory\...            - refers to all files under the directory and all directories under that (recursively)
    //  3. directory\*.*+.ext       - refers to all files under the directory with extension .ext
    //  4. directory\...+.ext       - refers to all files under the directory and all directories under that (recursively) with extension .ext
    //  5. directory\filename       - refers to a single file   

    //  
    // Files to be checked: 
    //

    left4dead2\pak01_dir.vpk        check_crc
    left4dead2\steam.inf            check_crc
    left4dead2\gameinfo.txt         check_crc

    left4dead2_dlc1\pak01_dir.vpk       check_crc
    left4dead2_dlc2\pak01_dir.vpk       check_crc
    left4dead2_dlc3\pak01_dir.vpk       check_crc

    update\pak01_dir.vpk            check_crc
}

[ImAciidz]

Unfortunately, the solution presented above can be trivially bypassed, so this will require a C++ fix from Valve.

[lDrDooml]

Unfortunately, the solution presented above can be trivially bypassed, so this will require a C++ fix from Valve.

You should explain how this can be bypassed, I just tried this method with my servers and after connecting I was kicked out with the following reason:

The only thing I can think of on my part would be the player trying to force variables like sv_consistency to 0 but this problem would only occur on official servers. Valve should implement something that checks player variables before entering the server.