Open mitros123 opened 3 months ago
Ideally the server should be the one who puts the name before a message, it should not be left to the client.
I suppose the username formation is delegated to client because there can be cases (for example, in splitscreen online multiplayer) when the name of the player who types the message cannot be determined uniquely by the server only. So I guess the client still has to send the name, but then the server can check if there's a player in the corresponding peer with such a name.
Description
Hello. It is possible to forge the message sent in a lobby by simply setting the sender's name in a message with a modified client. This is of a minor impact, but it may result in a player pretending to be another one, and causing the latter to be kicked due to the former's chat behavior.
The function responsible for sending a chat message is ClientLobby::sendChat() of src/network/protocols/client_lobby.cpp. It looks like the following:
The name of the player is put before the text, encoded and sent. The function that handles the chat is the ClientLobby::handleChat(). That function does not sanitize the contents of the message :
As a result, a modified client (either by static patching or dynamic hooking) that is set to alter the name inside the message, will be able to impersonate another client. Ideally the server should be the one who puts the name before a message, it should not be left to the client.
Steps to reproduce
Simply set a different name in the line
Configuration
STK version: From github, commit 84dff44
Additional information
(Part of) stdout.log of server: