[L4D2] Custom maps (.bsp) files are no longer downloadable from community servers

[backwards-dev]

One of the recent L4D2 updates has prevented community servers from being able to deliver custom map content to connecting users. Now when connecting to a server that is currently running a map that you don't previously have downloaded, the client will disconnect with this message in console:

Host_Error: CMapLoadHelper::Init, unable to open maps/{MapName}.bsp

The reason for this is the native file transfer system in source engine has a function called CNetChan::IsValidFileForTransfer(char* FilePath) which when returns false will prevent the file transfer. The recent update has changed the string checks for file extensions which are not permitted:

.bsp seems to have been mistakenly added to this list while updating it to a newer version reference from a different game. This is the previous version of the check which allowed files to the remote maps folder only if they had the extension type .bsp, .ain & .nav:

The only way to download a custom map now is if the maps .bsp file is included inside a .vpk file as an addon and uploaded to the steam workshop. This puts the users at a security risk though as these .vpk files can add extra files besides the map which can modify the clients game in other ways:

It would be nice if we can get the .bsp removed from this list or at least replaced with the previous code.

[ethanholt1]

This might be intentional behavior, but the VPK thing definitely needs to be checked out. I do remember some maps could crash your game, but maybe I’m remembering incorrectly

[Diver76]

I'm not sure why Valve is doing this, but I suspect that if BSP is allowed to be downloaded from community servers, there may be some people forcing the client to download maliciously modified official maps, making it impossible for the client to play any games.

[backwards-dev]

I'm not sure why Valve is doing this, but I suspect that if BSP is allowed to be downloaded from community servers, there may be some people forcing the client to download maliciously modified official maps, making it impossible for the client to play any games.

The CNetChan::SendFile functionality in the source engine (which is now blocking .bsp files) will not overwrite existing files. If they are doing that then it's most likely not through this method and wouldn't make sense to block sending the bsp in this case. The only reason I could see for purposefully blocking bsp files is to temporarily prevent a remote code execution exploit that exists in the current BSP version. However that wouldn't make any sense since they can still send the .bsp file inside the .vpk on the steam workshop to affect clients with the same attack vector anyways.

[backwards-dev]

Last Nights Left 4 Dead 1 Update also included blocking the transfer of all files to the maps/ folder when backporting exploit fixes from L4D2.

Instead of just blocking the file transfers to the maps folder if the extensions were not .bsp, .ain or .nav.

[RaptorRU]

As I understand it, Valve will not fix this anymore... What is their logic if they disabled downloading user content by default?