| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0004949 | Spring engine | General | public | 2015-09-10 01:19 | 2015-09-11 17:53 | ||||
| Reporter | abma | ||||||||
| Assigned To | abma | ||||||||
| Priority | normal | Severity | feature | Reproducibility | always | ||||
| Status | resolved | Resolution | reopened | ||||||
| Product Version | |||||||||
| Target Version | 101.0 | Fixed in Version | |||||||
| Summary | 0004949: springs ingame permission check broken | ||||||||
| Description | it seems its possible to change ingame username easily by editing script.txt: just join a game as spectator, leave the game, edit scrip.txt, change username as you wish and then rejoin. one very problematic thing is, that spads checks permissions by username: if a user knows a admin/moderator username he can issue all commands: stop game, cheat, ... spring has a setting which possible affects this: https://springrts.com/wiki/Springsettings.cfg#AllowSpectatorJoin is spring to blame or spads? or both? | ||||||||
| Additional Information | i've contacted bibim about this and atm i'm waiting for feedback. or can this be solved somehow engine-side? i.e. by changing AllowSpectatorJoin to false as default? (this bug report is private as it seems to affect all current autohosts) | ||||||||
| Tags | No tags attached. | ||||||||
| Checked infolog.txt for Errors | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
|
abma (administrator) 2015-09-10 15:31 |
ok, talked to bibim: spads doesn't change/read spring's config (which absolutely makes sense), so the default setting imo should be changed |
|
abma (administrator) 2015-09-10 15:39 |
Fix 002857ee60511dce18a784002a3a598cc6d973d0 committed to develop branch: fix 0004949: default disable AllowSpectatorJoin as it allows unauthenticated clients to connect, repo: spring changeset id: 5592 |
|
hokomoko (developer) 2015-09-10 16:05 |
I'd really like to know if this was actually abused and how often. IMO, most users will prefer it on true, and in places where it matters (autohosts) the admins are tech-savvy enough to change springsettings as they wish. |
|
jK (developer) 2015-09-10 16:07 |
Fix 08ee557226705baacb44b2f3be03dddc016c85aa committed to develop branch: Revert "fix 0004949:" This reverts commit 002857ee60511dce18a784002a3a598cc6d973d0., repo: spring changeset id: 5594 |
|
abma (administrator) 2015-09-10 20:06 |
an other approach: allow "AllowSpectatorJoin" to be changed via the autohost interface |
|
silentwings (reporter) 2015-09-11 00:07 |
| (this bug report is private as it seems to affect all current autohosts) It's not private, I can see it when I'm not logged in! |
|
abma (administrator) 2015-09-11 00:29 |
i made it public because some troll already had this info and broke some game. |
|
Jools (reporter) 2015-09-11 00:29 |
But... Isn't the commands to the game forwarded from the battle room, and the check inm battleroom is done by spring. For example: you cannot issue the command /cheat in game, you must issue it with the command !send /cheat. Also, spads has spoof protection, there is a setting for it too. Basicially it checks whether the ip in game matches the one in battleroom afaik. --- When spoof protection preference is enabled, SPADS checks that the in-game IP address of the user matches his IP address in lobby. If they don't match, SPADS can auto-kick the player from game, or print a warning message. Spoof protection may produce false positives (if a proxy is used to connect to lobby server for instance). --- Wouldn't it be better to set this value to "on" instead of disabling spectator joins? People want to join as spectators. |
|
Jools (reporter) 2015-09-11 00:31 |
http://planetspads.free.fr/spads/doc/spadsDoc_All.html The default value is to warn. I usually have false positives on my own account, or I had before at least, because I hosted the autohost on same server as I played from. |
|
abma (administrator) 2015-09-11 10:25 |
a possible workarround which reduces the effects could be to override the username of the client connecting without a password. |
|
abma (administrator) 2015-09-11 17:53 |
Fix 073afd36890e3c26d3248b8f4b83eafca545dbae committed to develop branch: fix 0004949, repo: spring changeset id: 5603 |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-09-10 01:19 | abma | New Issue | |
| 2015-09-10 01:20 | abma | Additional Information Updated | |
| 2015-09-10 01:20 | abma | Additional Information Updated | |
| 2015-09-10 01:21 | abma | Additional Information Updated | |
| 2015-09-10 01:21 | abma | Additional Information Updated | |
| 2015-09-10 01:22 | abma | Description Updated | |
| 2015-09-10 01:22 | abma | Issue Revision Dropped: Description: 0003754 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Description: 0003755 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Additional Information: 0003749 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Additional Information: 0003753 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Additional Information: 0003750 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Additional Information: 0003751 | |
| 2015-09-10 01:23 | abma | Issue Revision Dropped: Additional Information: 0003752 | |
| 2015-09-10 15:31 | abma | Note Added: 0015141 | |
| 2015-09-10 15:39 | abma | Changeset attached | => spring develop 002857ee |
| 2015-09-10 15:39 | abma | Note Added: 0015142 | |
| 2015-09-10 15:39 | abma | Assigned To | => abma |
| 2015-09-10 15:39 | abma | Status | new => resolved |
| 2015-09-10 15:39 | abma | Resolution | open => fixed |
| 2015-09-10 16:05 | hokomoko | Note Added: 0015143 | |
| 2015-09-10 16:05 | hokomoko | Status | resolved => feedback |
| 2015-09-10 16:05 | hokomoko | Resolution | fixed => reopened |
| 2015-09-10 16:07 | jK | Changeset attached | => spring develop 08ee5572 |
| 2015-09-10 16:07 | jK | Note Added: 0015144 | |
| 2015-09-10 16:07 | jK | Assigned To | abma => jK |
| 2015-09-10 16:07 | jK | Status | feedback => resolved |
| 2015-09-10 18:46 | abma | View Status | private => public |
| 2015-09-10 20:06 | abma | Note Added: 0015146 | |
| 2015-09-10 20:06 | abma | Severity | major => feature |
| 2015-09-10 20:06 | abma | Status | resolved => new |
| 2015-09-11 00:07 | silentwings | Note Added: 0015147 | |
| 2015-09-11 00:29 | abma | Note Added: 0015148 | |
| 2015-09-11 00:29 | Jools | Note Added: 0015149 | |
| 2015-09-11 00:31 | Jools | Note Added: 0015150 | |
| 2015-09-11 10:25 | abma | Note Added: 0015151 | |
| 2015-09-11 17:53 | abma | Changeset attached | => spring develop 073afd36 |
| 2015-09-11 17:53 | abma | Note Added: 0015153 | |
| 2015-09-11 17:53 | abma | Assigned To | jK => abma |
| 2015-09-11 17:53 | abma | Status | new => resolved |
| Issue History |