Block AMX Messages and Commands

[shoober420]

Can you please add an option to block AMX messages and commands sent to the client for the sake of security?

[Tele42]

Please send AMX mod issues to AMX devs.

[shoober420]

This isn't an AMX issue. This isn't an AMX bug. There have been multiple issues started about how AMX can cause redirects, change cvars without them knowing, and display unwanted AMX messages. The client should be protected from mods that do malicious and exploitable actions.

[WildCard65]

The forum moderators are trying their best to keep the general community from finding out about these ways around protections but that does not mean that valve should prevent AMXX from sending messages or commands as the people who are using them are not going to get it on the forums and all the approved plugins aren't malicious. TIP: Stay away from bad servers(especially ones with DP(look for the metamod plugin that shortens to dp, or look for steamids that aren't actually obtainable(like 9+ lengths, LAN ones, etc)))

[shoober420]

WildCard65 that does not mean that valve should prevent AMXX from sending messages or commands as the people who are using them are not going to get it on the forums and all the approved plugins aren't malicious

I'm not saying ALL the AMX commands should be blocked forcefully. It should be an option to block external commands being sent to your machine from the server. Server redirects are a big one. Clients should also have the option to disable AMX messages. Harmful or not, THEY ARE ANNOYING. Plug-ins should not be allowed to issue commands on the client, unless he so desires.

Regardless if its a non-steam server, whether the server is using an "approved" plugin (whatever that means), I don't approve of any plugin issuing commands on my client, and bombarding me with messages. I don't need some third party "approving" plugins that they feel are safe. I can think for myself, and I don't approve of plugins with the ability to issue commands on clients. It should be an option by the client to reject or approve these commands and messages. Classic examples of this is the ability to open someones CDROM tray, change someones bindings, and shut down their game.

[WildCard65]

Ya but do you REALLY want to make all of alliedmodders suffer because of small groups of people who if attempts to post work around on alliedmodders forums gets removed as soon as moderators know about it doings?

On Fri, Jun 6, 2014 at 10:29 AM, shoober420 notifications@github.com wrote:

WildCard65 that does not mean that valve should prevent AMXX from sending messages or commands as the people who are using them are not going to get it on the forums and all the approved plugins aren't malicious

I'm not saying ALL the AMX commands should be blocked forcefully. It should be an option to block external commands being sent to your machine from the server. Server redirects are a big one. Clients should also have the option to disable AMX messages. Harmful or not, THEY ARE ANNOYING. Plug-ins should not be allowed to issue commands on the client, unless he so desires.

Regardless if its a non-steam server, whether the server is using an "approved" plugin (whatever that means), I don't approve of any plugin issuing commands on my client, and bombarding me with messages. It should be an option by the client to reject or approve these commands and messages.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-45342574 .

[shoober420]

WildCard65 Ya but do you REALLY want to make all of alliedmodders suffer

Like I said before, it should be an OPTION. If clients want mods to run commands on them, because the server needs it, then by all means. But, if I so choose to have all AMX and other server plug-in commands and messages blocked, I should have the choice to do so. Clients shouldn't have to drop there defenses for the sake of the admins "convenience".

[WildCard65]

Then suggest ways to block only the workarounds to the slowhacking protection so AMXX DOES not have to suffer as a whole

On Sat, Jun 7, 2014 at 4:44 AM, shoober420 notifications@github.com wrote:

WildCard65

Ya but do you REALLY want to make all of alliedmodders suffer

Like I said before, it should be an OPTION. If clients want mods to run commands on them, because the server needs it, then by all means. But, if I so choose to have all AMX and other server plug-in commands and messages blocked, I should have a choice. Clients shouldn't have to drop there defenses for the sake of admins "convience".

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-45405051 .

[shoober420]

WildCard65 Then suggest ways to block only the workarounds to the slowhacking protection so AMXX DOES not have to suffer as a whole

I already did. I said that we should have an option to block these commands. There is a similar cvar that does this called "cl_filterstuffcmd", but its not good enough. Redirects are still allowed, messages are not blocked, and AMXX can still send abusive commands to clients. We should be protected from AMXX and similar plug ins that can be used to abuse clients. Of course, like I said already, it should be an option.

For example, have cvars like "cl_blockamxmessages", "cl_blockredirects", and "cl_blockplugincommands". This will let users either allow or block them. So if someone so chooses to allow the server to run commands on them, they can, and everyone will be happy.

I also don't want only "workarounds" for slowhacking, I want there to be an option to block AMXX messages. A client should not be forced to be at the mercy of the server and its plugins.

[Freeman-AM]

Stop playing in those server so... take war server, play with your friends on it, and stop wasting your time with no sense purposal.

[shoober420]

Freeman-AM Stop playing in those server so... take war server, play with your friends on it, and stop wasting your time with no sense purposal.

Its kind of hard to find a server that doesn't use AMX now a days, don't you think? This is an outrageous suggestion, and an ignorant one at that. How hypocritcal to say "no sense purposal" when you have no sense of purposing a decent solution. I would say almost ALL servers use AMXX. Even if the admins don't abuse AMXX, I still don't want to see those annoying messages about how much damage I did, and the admin yelling at other players via AMXX messages. Its very annoying.

Also, when you play 640x480, the text is HUMONGOUS. Its sooooooo distracting to see those big bold letters in your face when your trying to aim at someone. They take up almost the whole screen. I would hope that you have better things to do then be unhelpful and trying to insult others. As if playing with friends would help in anyway. You sir, should take yourself elsewhere.

[Arkshine]

An admin is free to do what he wants with his own server. You have nothing to say in this matter and it's irrelevant to Valve. Please don't force your way of playing. If you don't like, just quit and find another server. I'm not saying it's not annoying to be flooded with messages, but the point is it's up to admin to configure (or not) properly the server. You can also suggest to concerned admins to configure things, there are not much servers which actually do a deep configuration. And if you're still can''t find server as you would like, just make your own, best and fast way.

[shoober420]

Arkshine An admin is free to do what he wants with his own server. You have nothing to say in this matter and it's irrelevant to Valve. Please don't force your way of playing. If you don't like, just quit and find another server.

For the last time, I'm not FORCING ANYTHING. I've said again and again that it should be an OPTION to block AMX commands and messages sent to clients. You can't tell me what I can and cannot say in this matter. Who do you think you are? Valve can very well do something about this, and I'm sure it wouldn't be hard to do something about it either.

Arkshine I'm not saying it's not annoying to be flooded with messages, but the point is it's up to admin to configure (or not) properly the server. You can also suggest to concerned admins to configure things, there are not much servers which actually do a deep configuration. And if you're still can''t find server as you would like, just make your own, best and fast way.

As I already said, the admin can do whatever they please. The thing is, the client should also. If he wants to block admin commands sent to him and messages, he should have the choice. You should NOT be at the mercy of the admin. Yes, he should be allowed to kick and ban you, but if you are not a cause for concern, you should have the right to block admin/mod spam and slowhacking.

[WildCard65]

Valve did there best at blocking slowhacking, AlliedModders forums are also doing their best to unapprove/trash any plugin involving slowhacking as well as not providing assistance or allowing anyone to put up workarounds. Find or make a server for yourself that pleases you and not try to force everyone to suffer or make admins jobs alot harder. Like if admins can't use like a messaging command on you, how can they warn you?

On Sat, Jul 5, 2014 at 2:44 AM, shoober420 notifications@github.com wrote:

Arkshine

An admin is free to do what he wants with his own server. You have nothing to say in this matter and it's irrelevant to Valve. Please don't force your way of playing. If you don't like, just quit and find another server.

For the last time, I'm not FORCING ANYTHING. I've said again and again that it should be an OPTION to block AMX commands and mesages sent to clients. You can't tell me what I can and cannot say in this "matter". Who do you think you are? Valve can very well do something about this, and I'm sure it wouldn't be hard to do either.

Arkshine

I'm not saying it's not annoying to be flooded with messages, but the point is it's up to admin to configure (or not) properly the server. You can also suggest to concerned admins to configure things, there are not much servers which actually do a deep configuration. And if you're still can''t find server as you would like, just make your own, best and fast way.

As I already said, the admin can do what whatever they please. The thing is, the client should also. If he wants to block admin commands sent to him and messages, he should have the choice. You should NOT be at the mercy of the admin. Yes, he should be allowed to kick and ban you, but if you are not a cause for concern, you should have the right to block admin spam and slowhacking.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-48079772 .

[shoober420]

WildCard65 Valve did there best at blocking slowhacking, AlliedModders forums are also doing their best to unapprove/trash any plugin involving slowhacking as well as not providing assistance or allowing anyone to put up workarounds.

More can be done. Server redirects are still a big problem, and if AlliedModders really cared about this, it would have been stopped long ago.

WildCard65 Find or make a server for yourself that pleases you and not try to force everyone to suffer or make admins jobs alot harder.

What I'm asking would not make admins or anyone else suffer in anyway. Infact, what I'm asking for will reduce suffering client side, and effect admins in no way.

WildCard65 Like if admins can't use like a messaging command on you, how can they warn you?

Does normal chat not exist? How about just actually telling me over the mic? There any numerous ways to communicate with the user then with annoying AMX messages that take up your screen and block your view.

[WildCard65]

AlliedModders do care, they are trying 100% their best to STOP all workarounds from getting passed around on the forums.

On Sun, Jul 6, 2014 at 12:22 AM, shoober420 notifications@github.com wrote:

WildCard65

Valve did there best at blocking slowhacking, AlliedModders forums are also doing their best to unapprove/trash any plugin involving slowhacking as well as not providing assistance or allowing anyone to put up workarounds.

More can be done. Server redirects are still a big problem, and if AlliedModders really cared about this, it would have been stopped long ago.

WildCard65

Find or make a server for yourself that pleases you and not try to force everyone to suffer or make admins jobs alot harder.

What I'm asking would not make admins or anyone else suffer in anyway. Infact, what I'm asking for will reduce suffering client side, and effect admins in no way.

WildCard65

Like if admins can't use like a messaging command on you, how can they warn you?

Does normal chat not exist? How about just actually telling me over the mic? There any numerous ways to communicate with the user then with annoying AMX messages that take up your screen and block your view.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-48102683 .

[shoober420]

WildCard65 AlliedModders do care, they are trying 100% their best to STOP all workarounds from getting passed around on the forums.

If they truly cared, server redirects would be stopped by now. Server redirects are just one of the many problems with AMX. They are not even considering protecting the clients from all the other slowhacking. Its been going on for too long.

[WildCard65]

Do not blame the alliedmodders community for other people's doing. They do care because they are doing 100% their best to make sure NO ONE spreads workarounds on the forums. So stop playing on servers that use f***ing workarounds.

On Sun, Jul 6, 2014 at 11:58 PM, shoober420 notifications@github.com wrote:

WildCard65

AlliedModders do care, they are trying 100% their best to STOP all workarounds from getting passed around on the forums.

If they truely cared, server redirects would be stopped by now. Server redirects are just one of the many problems with AMX. They are not even considering protecting the clients from all the other slowhacking.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-48139136 .

[shoober420]

WildCard65 Do not blame the alliedmodders community for other people's doing. They do care because they are doing 100% their best to make sure NO ONE spreads workarounds on the forums. So stop playing on servers that use f***ing workarounds.

Besides the server redirects, all the other slowhacking is intentionally put into AMX. Especially the opening of their CD-ROM tray, shutting down there game, and changing their bindings. Server redirects are only a small problem, which I'm not effected by since I manually join servers.

[WildCard65]

Do you even have the filter cvar set to 1? Also... they are not intentional, the moderators do know work arounds exist but they are 100% making sure that people who don't know how to do them stays unknown to them. Again, stop playing on bad servers if you can't handle something that the AMXX devs can't stop. Also, AMXX messages can also be used like for custom gamemodes, so blocking them might block some helpful things that only AMXX sent messages can only show.

On Thu, Jul 10, 2014 at 9:36 AM, shoober420 notifications@github.com wrote:

WildCard65

Do not blame the alliedmodders community for other people's doing. They do care because they are doing 100% their best to make sure NO ONE spreads workarounds on the forums. So stop playing on servers that use f***ing workarounds.

Besides the server redirects, all the other slowhacking is intentionally put into AMX. Especially the opening of their CD-ROM tray, shutting down there game, and changing their bindings. Server redirects are only a small problem, which I'm not effected by since I manually join servers.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-48604755 .

[shoober420]

WildCard65 Do you even have the filter cvar set to 1? Also... they are not intentional, the moderators do know work arounds exist but they are 100% making sure that people who don't know how to do them stays unknown to them.

Of course I do. This doesn't prevent all the exploits though, only the changing of key bindings. Being able to open someones CD-ROM tray and shut down there game are still effective. The ability to do these things were delibrate, and put in there on purpose.

WildCard65 Also, AMXX messages can also be used like for custom gamemodes, so blocking them might block some helpful things that only AMXX sent messages can only show.

Again, since I want to make it a choice to block AMX messages, it will be the client at fault if he wants to limit his interaction with the server. It will be a choice if he wants to see custom gamemode or not. I DO NOT WANT TO SEE IT!

[Freeman-AM]

About commands and cvars forcing @shoober420, it's not the purpose of amxmodx to handle something related to valve failure. It's only valve fault if people can use cd commands to open your CD. It's only valve fault if people found redirect workaround so easyly (you can't found them on Alliedmodders) True fact is that 90% of people using the redirect workaround found it here, on this github, because of valve long term maintenance. This github is the open door for exploit. amxmodx do not promote bad usage. Amxmodx is not responsible of bad usage. Valve is. Stop doing mistake just because you want to vomit on Amxmodx.

[shoober420]

Freeman-AM It's only valve fault if people can use cd commands to open your CD.

A vanilla GoldSrc server without mods of any kind, has no ability to open your disk tray. This is all done threw AMX. The people who developed AMX put it in there. You can't blame Valve for being manipulated by a shady server mod.

Freeman-AM True fact is that 90% of people using the redirect workaround found it here, on this github, because of >valve long term maintenance. This github is the open door for exploit.

Don't act like the alliedmodders forum isn't responsible for this either. They had posts about the same thing there as well. Its not that the exploit is viewable, its that it should be fixed. So even if an exploit is viewable, it will be useless, if the modders patch the mod to prevent it from working. That means AlliedModders need to quit being lazy, and fix it already. Valve shouldn't have to fix it. I'm only asking Valve to do it, because AlliedModders OBVIOUSLY is doing NOTHING about it because they don't care.

Freeman-AM Amxmodx is not responsible of bad usage.

Oh, so if someone builds a car, and the steering fails, and you crash. The builder is not responsible? The person who built and created the product or software your using, is for sure responsible. AMX is responsible for all the exploits it helped make available.

Someone programs remote access software to tie into peoples machines, for technical assistance. Someone out there exploits the remote access software and allows it to tie into anyones machine without them knowing. So the person who created this remote access software isn't responsible, and doesn't need to patch their software? No bro, I don't think so. The software developers are for sure responsible, and need to patch the software.

Freeman-AM Stop doing mistake just because you want to vomit on Amxmodx.

What mistake? AMX is a mistake. It lags servers, trolls players with annoying messages that fill up your screen, and opens up doors to exploit clients. Learn to use RCON.

[WildCard65]

Dude, you do realize your are indeed just flaming AMXX, and stop blaming AMXX for their client command native.
Here's something to consider:
Do not play on servers with dproto
Do not play on servers that use the workarounds
If you can't do both, make a pure vanilla AMXX server, then you won't got issues.
And if you don't want to do that, then just bare with it and stop flaming AMXX because of SCRIPTERS doings... Scripters are responsible for usage of work arounds as they SCRIPTED the workaround into their plugins for AMXX, which makes the AMXX devs NOT responsible for 3rd party plugins.

[shoober420]

WildCard65 Dude, you do realize your are indeed just flaming AMXX, and stop blaming AMXX for their client command native.

You can't tell me what I can and cannot blame. You can't tell me what to do. I will blame AMXX for not patching exploits to prevent malicous scripts from working. They are LAZY and don't care.

WildCard65 Scripters are responsible for usage of work arounds as they SCRIPTED the workaround into their >plugins for AMXX, which makes the AMXX devs NOT responsible for 3rd party plugins.

So, I make a video game, and someone scripts an exploit to allow spectators to fly around in-game, and kill other players. Since I didn't write the script, I'm not responsible for fixing the expoit in my game? I don't think so bro. I'm very responsible for fixing the exploit, since it targets MY work, just as the exploits target AMXX work. You must learn to except responsibility for the things you create, and stop others from manipulating your code.

[WildCard65]

Dude, AMXX can't fix it without removing the entire usage of clientcommand, which will break plugins that call client commands that Valve wish to be executed on clients. What you want is AMXX to die a slow and painful death, which would ultimately lead to the admin system it has to die. Which would leave ALOT of servers without a proper admin system. Do you want to be responsible for killing the only best admin system for gold source servers? Cause at your tone, you want to be responsible.

On Tue, Jul 15, 2014 at 12:53 AM, shoober420 notifications@github.com wrote:

WildCard65 Dude, you do realize your are indeed just flaming AMXX, and stop blaming AMXX for their client >command native.

Don't tell me what I can and cannot blame. You can't tell me what to do. I will blame AMXX for not patching exploits to prevent scipts from working. They are LAZY and don't care.

WildCard65 Scripters are responsible for usage of work arounds as they SCRIPTED the workaround into their >plugins for AMXX, which makes the AMXX devs NOT responsible for 3rd party plugins.

So, I make a video game, and someone scripts and exploit to allow spectators to fly around in-game, and kill other players. Since I didn't write the script, I'm not responsible for fixing the expoit in my game? I don't think so bro. I'm very responsible for fixing the exploit, since it targets MY work, just as the exploits target AMXX work. You must learn to except responsibility for the things you create.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-48990505 .

[shoober420]

WildCard65 Dude, AMXX can't fix it without removing the entire usage of clientcommand, which will break plugins that call client commands that Valve wish to be executed on clients.

You can restrict what a command does, without having to remove the entire command. You saying that is just silly.

[WildCard65]

Only problem, AMXX is OPENSOURCE so adding restrictions will be pointless as people can always remove restrictions.

[shoober420]

WildCard65 Only problem, AMXX is OPENSOURCE so adding restrictions will be pointless as people can always remove restrictions.

Just because something is open source, doesn't mean that the restrictions can be removed. They would have to change the code, and compile there own custom AMX mod to run on the server, for that to be an issue. They would then have to get permission to use this customized AMX mod on there server, unless they want the AMX devs to sue for using source code without permission. I can't image people doing this, as most, if not all server admins would use the official build, which would include the fix for the exploits (if they actually decide to fix them).

[WildCard65]

Stop saying AMX, AMX is not AMXX and AMXX is licensed under the GPL meaning that alliedmodders CAN NOT sue people for customizing AMXX or do anything about it. So ya, they can't add restrictions/won't either cause it'll be pointless too as people CAN freely remove the restrictions.

[shoober420]

WildCard65 Stop saying AMX, AMX is not AMXX and AMXX is licensed under the GPL meaning that alliedmodders >CAN NOT sue people for customizing AMXX or do anything about it. So ya, they can't add >restrictions/won't either cause it'll be pointless too as people CAN freely remove the restrictions.

I was saying AMX, to universaly refer to both of these mods, since they both pretty much do the same thing, and have exploits to use on clients. I'll call it whatever I want, and you can't tell me what to call it. You can't tell me what to say. Regardless if its under the GPL, someone would still have to recompile AMX and use there own customize AMX mod on the server. Not to many people would do this. Only a malicous server that would remove the patches (if they actually patch them) that fix the exploits would do this. I doubt anyone would play there. You know anyone who uses there own customized AMX mod? That's what I thought. So your statements about it being a problem that its open source is NULL. It doesn't matter. This is not an excuse to ignore the exploits and not patch AMX. You are really digging low for reasons for them not to patch.

[WildCard65]

Mostly malicious servers would be using the workarounds

[shoober420]

WildCard65 Mostly malicious servers would be using the workarounds

Which wouldn't matter, if AMX would patch their mod to fix the exploits and prevent the workarounds.

[WildCard65]

Which still won't matter as the fixes can always be removed.

On Wed, Jul 16, 2014 at 4:38 PM, shoober420 notifications@github.com wrote:

WildCard65 Mostly malicious servers would be using the workarounds

Which wouldn't matter, if AMX would patch there mod to fix the exploits.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-49223417 .

[shoober420]

WildCard65 Which still won't matter as the fixes can always be removed.

Only if the malicous admin edits the code to remove the patches, and recompiles a custom AMX mod, which no one does. No one uses a custom built AMX mod. Do you know any admins that custom build there AMX mods? Didn't think so. Nice try though. Good effert.

[WildCard65]

But what's to stop them from doing it. No one is because there is no reason too, but through in restrictions and people will start recompiling amxx to remove them. Face it, you won't win this arguement. On 2014-07-16 8:54 PM, "shoober420" notifications@github.com wrote:

WildCard65 Which still won't matter as the fixes can always be removed.

Only if the malicous admin edits the code, and recompiles a custom AMX mod, which no one does. No one uses a custom built AMX mod. Do you know any admins that custom build there AMX mods? Didn't think so. Nice try though. Good effert.

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-49247068 .

[JoelTroch]

If someone decide to build the mod without patches against workarounds and redistribute it on a external website like Mediafire ?

[WildCard65]

Nothing can stop them from doing so... On 2014-07-16 9:33 PM, "Shepard62700FR" notifications@github.com wrote:

If someone decide to build the mod without patches against workarounds and redistribute it on a external website like Mediafire ?

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-49249307 .

[JoelTroch]

Absolutely right @WildCard65

[shoober420]

WildCard65 But what's to stop them from doing it. No one is because there is no reason too, but through in restrictions and people will start recompiling amxx to remove them. Face it, you won't win this arguement.

Until someone actually decides to modify, and recompile there own AMX mod to run on there server, you have lost this arguement, and are digging through the bottom of the barrell for reasons not to patch up AMX. No one runs there own modified AMX mod. NO ONE.

Shepard62700FR If someone decide to build the mod without patches against workarounds and redistribute it on a >external website like Mediafire ?

Who would actually use it? On top of that, who would actually play on the server? NO ONE. Who wants to play on a server with a modified AMX mod that removes patches for exploits? No one would. On top of that, no one uses there own customized AMX mod. Its ridiculous to even consider this a reason to not patch AMX. Just a bunch of lazy people looking for lame excuses to not fix there poop mod.

[di57inct]

You people seriously need to stfu.

Valve won't update GoldSrc games because they're a bunch of greedy shit heads and the AMXX team can't do shit because people can use older versions of HLDS and AMXX any time they want, so it doesn't matter if they "fix" it.

End of story.

[yamikaitou]

@shoober420 You fail to realize that AMXX is not the one at fault here. AMXX is just hooking functions that the HLSDK exposes. If you go into your console and type the command 'cd open', your CD tray will open, even if you are not connected to a server. Even if AMXX remove the ability to use client_cmd (which would break many letigiment usages of the command, it would not prevent someone from making a Metamod module that does the same thing. Everything that Metamod and AMXX can do, the HLSDK is letting it. If you truly do not want Metamod or AMXX to do something, then it must be removed from the HLSDK, which only Valve can do.

[shoober420]

di57inct Valve won't update GoldSrc games because they're a bunch of greedy shit heads and the AMXX team can't do shit because people can use older versions of HLDS and AMXX any time they want, so it doesn't matter if they "fix" it.

It does matter, because most admins do update there software. The only admins I can think of who don't update there software, are NON STEAM servers. I would think everyone in this thread doesn't play on those. Only a malicous server admin would edit the code, or not update there AMX. Those kind of servers wouldn't attract to many players, don't you think? Valve is too busy getting SteamOS and Steamboxes ready. They have no time to update GoldSrc games right now. We are fortunate that they updated them at all. They aren't lazy, its the AMX guys who are lazy.

yamikaitou You fail to realize that AMXX is not the one at fault here. AMXX is just hooking functions that the HLSDK exposes. If you go into your console and type the command 'cd open', your CD tray will open, even if you are not connected to a server.

You fail to realize, that if the user himself chooses to use this command, its perfectly fine. But, if a server mod has the ability to issue these commands on clients, then that's a HUGE problem. It shouldn't be allowed.

yamikaitou Even if AMXX remove the ability to use client_cmd (which would break many letigiment usages of the command, it would not prevent someone from making a Metamod module that does the same thing.

I have mentioned numerous times already, that I don't want the client_cmd completely removed, just that its usage limited. If someone does decide to create there own module like AMX, just for malicous use, NO ONE WOULD PLAY ON THAT SERVER. "Don't play on that server bro, he uses custom modules made to exploit clients." I'm sure this guys server would be very popular...derp

[WildCard65]

You do know that hundreds of servers are no-steam servers with players all the time... but still, how would one know if someone customized amxx if they don't use or look at source(original), they may NEVER know if the usage was limitted... On 2014-07-17 9:06 PM, "shoober420" notifications@github.com wrote:

di57inct Valve won't update GoldSrc games because they're a bunch of greedy shit heads and the AMXX team >can't do shit because people can use older versions of HLDS and AMXX any time they want, so it >doesn't matter if they "fix" it.

It does matter, because most admins do update there software. Only a malicous server admin would edit the code, or not update there AMX. Those kind of servers wouldn't attract to many players, don't you think? Valve is too busy getting SteamOS and Steamboxes ready. They have no time to update GoldSrc games right now. We are fortunate that they updated them at all. They aren't lazy, its the AMX guys who are lazy.

yamikaitou

You fail to realize, that if the user himself chooses to use this command, its perfectly fine. But, if a server mod has the ability to issue these commands on clients, then that's a HUGE problem. It shouldn't be allowed.

yamikaitou Even if AMXX remove the ability to use client_cmd (which would break many letigiment usages of the >command, it would not prevent someone from making a Metamod module that does the same thing.

I have mentioned numerous times already, that I don't want the client_cmd completely removed, just that its usage limited. If someone does decide to create there own module like AMX, just for malicous use, NO ONE WOULD PLAY ON THAT SERVER. "Don't play on that server bro, he uses custom modules made to exploit clients." I'm sure this guys server would be very popular...derp

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-49385367 .

[yamikaitou]

So it is AMXX's fault that Valve lets it send these commands? The SteamPipe transition implemented a way to block these malicious commands already (cl_filterstuffcmd), it is just that the detection method used doesn't detect everything. Workarounds to the detection method were found by malicious people.

I do agree that a better detection method is needed, but don't overkill it. What you are suggesting here is pure overkill and will hurt many legitimate communities.

[shoober420]

WildCard65 You do know that hundreds of servers are no-steam servers with players all the time... but still, how would one know if someone customized amxx if they don't use or look at source(original), they may NEVER know if the usage was limitted...

I don't play on NON-STEAM servers, so I don't care. You can use a site called "GameTracker", which displays what version of AMX and metamod its running. If there using an older version of AMX mod, then you would of course know, its a malicous server.

[WildCard65]

You do know people can change the version number to fake it, or take latest version and revert change done it via github commit viewing

[di57inct]

@shoober420 I couldn't give lesser fucks about what they're busy with. I bought the game, so it's their duty to fix it, unlike the AMXX dev team who are doing it for free. But for Valve fix = 5 years later + fuck up, so...

L4D2 is also full of bugs. Actually, come to think of it, most of their games have problems which aren't being fixed. Take a better look before defending them.

[shoober420]

yamikaitou So it is AMXX's fault that Valve lets it send these commands?

No, it is the fault of AMX to allow a server to execute commands only the user should be allowed to execute. Valve didn't create these commands so malicous server mods could exploit them. AMX deliberately said to themselves, "Hey, lets program our mod to allow the execution of commands that only users should be able to do." Not very nice people.

yamikaitou I do agree that a better detection method is needed, but don't overkill it. What you are suggesting here is pure overkill and will hurt many legitimate communities.

Pure overkill to ask them to limit a command? I don't think so bro. Maybe if I said, remove the whole ability to use the command. Yes, that would be overkill. But, I'm not asking to do this, I'm simply saying they should limit the functionality of this command. This is NOT overkill.

WildCard65 You do know people can change the version number to fake it, or take latest version and revert change done it via github commit viewing

When you start to see bogus AMX version numbers flying around, or servers that supposily use the latest AMX mod, but have there CD tray opening, game shutting down randomly, and binding changed, you'll know that they are lieing. Word would get around, and no one would play on that server. It would be a loosing battle if someone maliciously tried to create there own custom AMX mod. This isn't a problem anyway, because no one does this to begin with. Mentioning it is just absurd.

di57inct I couldn't give lesser fucks about what they're busy with. I bought the game, so it's their duty to fix it, unlike the AMXX dev team who are doing it for free. But for Valve fix = 5 years later + fuck up, so...

You're fortunate enough that Valve decided to even update an over decade old game. Not too many companies would do this. GoldSrc games are for the most part, fully playable with no bugs that brake the game. They already fixed those annoying ones. After the release of SteamOS and Steamboxes, we will see them pay attention to the GoldSrc github again.

di57inct L4D2 is also full of bugs. Actually, come to think of it, most of their games have problems which aren't being fixed. Take a better look before defending them.

I played L4D2 on Linux recently for a good 10 hours in total. I didn't encouter any bugs. Could you please link to some bugs that are so game breaking?

[yamikaitou]

Wrong, malicious owners coded plugins that used a GENERIC function within AMXX that sends a command that Valve allowed. AMXX has done nothing wrong here, the only thing they have done is let plugin authors use a function that Valve exposed. The function I am speaking of is client_cmd. It is Valve's responsibility to filter what commands can be sent, not AMXX.

Also, looking back in history at AdminMod (which Alfred was one of the lead developers for), it include an admin command, with the core files, that allowed an admin to execute commands. AMXX does not include such command by default, it must be performed by a 3rd party plugin.

What you are requesting here is overkill as a limitation already exists (cl_filterstuffcmd) and you are requesting even more limitations (preventing the usage of a generic function).

[WildCard65]

@shoober420 "When you start to see bogus AMX version numbers flying around, or servers that supposily use the latest AMX mod, but have there CD tray opening, game shutting down randomly, and binding changed, you'll know that they are lieing. Word would get around, and no one would play on that server. It would be a loosing battle if someone malicously tried to create there own custom AMX mod. This isn't a problem anyway, because no one does this to begin with. Mentioning it is just absurd." I believe the cd command is one of the filtered command as well as the bind command... Plus what client would ever stay update to date on AMXX's changelog... NO ONE! SO NO ONE WOULD BE ABLE TO TELL THE DIFFERENCE BETWEEN A BOGUS AND NON-BOGUS AKXX, ONLY SERVER OPERATORS CAN CAUSE THEY WOULD KNOW WHERE TO FIND THE ORIGINAL AMXX!

On Fri, Jul 18, 2014 at 1:20 AM, Ryan notifications@github.com wrote:

Wrong, malicious owners coded plugins that used a GENERIC function within AMXX that sends a command that Valve allowed. AMXX has done nothing wrong here, the only thing they have done is let plugin authors use a function that Valve exposed. The function I am speaking of is client_cmd. It is Valve's responsibility to filter what commands can be sent, not AMXX.

Also, looking back in history at AdminMod (which Alfred was one of the lead developers for), it include an admin command, with the core files, that allowed an admin to execute commands. AMXX does not include such command by default, it must be performed by a 3rd party plugin.

What you are requesting here is overkill as a limitation already exists (cl_filterstuffcmd) and you are requesting even more limitations (preventing the usage of a generic function).

— Reply to this email directly or view it on GitHub https://github.com/ValveSoftware/halflife/issues/1522#issuecomment-49396378 .