search

osuAkatsuki / bancho.py

An osu! server for the generic public, optimized for maintainability in modern python
https://akatsuki.gg
MIT License
217 stars 131 forks source link

bug: (cho.py) MatchJoin function does not validate the password. #387

Closed t0v4 closed 1 year ago

t0v4 commented 1 year ago

Describe the bug

MatchJoin function does not validate the provided password with the actual password that was set up for the match.

To Reproduce

  1. Ask a friend to create a match and set up a random password
  2. Try joining his match with any password

Expected behavior

It shoud say that the provided match password is incorrect

bancho.py Version

4.6.4

Python Version

3.10.X

Relevant log output

No response

Additional context

Code snippet for an easy fix: `if (str(m.passwd) != str(self.match_passwd)): p.enqueue( app.packets.match_join_fail()

minisbett commented 1 year ago

Why don't you create a pull request if you have a fix? Also you don't have to do str() on any of the two sides of the if comparison. You also don't have to put brackets around it

t0v4 commented 1 year ago

i didnt forked this repo

minisbett commented 1 year ago

Then do it. You can literally edit it on github directly.

t0v4 commented 1 year ago

no

tsunyoku commented 1 year ago

it does validate the password, can be seen here: https://github.com/osuAkatsuki/bancho.py/blob/618e25b2bce79ffb525d3acab2f566abc2d1794e/app/objects/player.py#L645

if your friend was able to join with any password, they likely have staff privileges as this code shows there is a bypass for those with staff.