2019-08-21 03:34 CEST

View Issue Details Jump to Notes ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0004949Spring engineGeneralpublic2015-09-11 17:53
Reporterabma 
Assigned Toabma 
PrioritynormalSeverityfeatureReproducibilityalways
StatusresolvedResolutionreopened 
Product Version 
Target Version101.0Fixed in Version 
Summary0004949: springs ingame permission check broken
Descriptionit seems its possible to change ingame username easily by editing script.txt:

just join a game as spectator, leave the game, edit scrip.txt, change username as you wish and then rejoin.

one very problematic thing is, that spads checks permissions by username: if a user knows a admin/moderator username he can issue all commands: stop game, cheat, ...


spring has a setting which possible affects this:

https://springrts.com/wiki/Springsettings.cfg#AllowSpectatorJoin

 is spring to blame or spads? or both?
Additional Informationi've contacted bibim about this and atm i'm waiting for feedback.


or can this be solved somehow engine-side?

i.e. by changing AllowSpectatorJoin to false as default?

(this bug report is private as it seems to affect all current autohosts)
TagsNo tags attached.
Checked infolog.txt for lua Errors
Attached Files

-Relationships
+Relationships

-Notes

~0015141

abma (administrator)

ok, talked to bibim: spads doesn't change/read spring's config (which absolutely makes sense), so the default setting imo should be changed

~0015142

abma (administrator)

Fix 002857ee60511dce18a784002a3a598cc6d973d0 committed to develop branch: fix 0004949:

default disable AllowSpectatorJoin as it allows unauthenticated clients to connect, repo: spring changeset id: 5592

~0015143

hokomoko (developer)

I'd really like to know if this was actually abused and how often.

IMO, most users will prefer it on true, and in places where it matters (autohosts) the admins are tech-savvy enough to change springsettings as they wish.

~0015144

jK (developer)

Fix 08ee557226705baacb44b2f3be03dddc016c85aa committed to develop branch: Revert "fix 0004949:"

This reverts commit 002857ee60511dce18a784002a3a598cc6d973d0., repo: spring changeset id: 5594

~0015146

abma (administrator)

an other approach: allow "AllowSpectatorJoin" to be changed via the autohost interface

~0015147

silentwings (reporter)

| (this bug report is private as it seems to affect all current autohosts)
It's not private, I can see it when I'm not logged in!

~0015148

abma (administrator)

i made it public because some troll already had this info and broke some game.

~0015149

Jools (reporter)

But...

Isn't the commands to the game forwarded from the battle room, and the check inm battleroom is done by spring. For example: you cannot issue the command /cheat in game, you must issue it with the command !send /cheat.

Also, spads has spoof protection, there is a setting for it too. Basicially it checks whether the ip in game matches the one in battleroom afaik.

---
When spoof protection preference is enabled, SPADS checks that the in-game IP address of the user matches his IP address in lobby. If they don't match, SPADS can auto-kick the player from game, or print a warning message. Spoof protection may produce false positives (if a proxy is used to connect to lobby server for instance).
---

Wouldn't it be better to set this value to "on" instead of disabling spectator joins? People want to join as spectators.

~0015150

Jools (reporter)

http://planetspads.free.fr/spads/doc/spadsDoc_All.html

The default value is to warn. I usually have false positives on my own account, or I had before at least, because I hosted the autohost on same server as I played from.

~0015151

abma (administrator)

a possible workarround which reduces the effects could be to override the username of the client connecting without a password.

~0015153

abma (administrator)

Fix 073afd36890e3c26d3248b8f4b83eafca545dbae committed to develop branch: fix 0004949, repo: spring changeset id: 5603
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2015-09-10 01:19 abma New Issue
2015-09-10 01:20 abma Additional Information Updated
2015-09-10 01:20 abma Additional Information Updated
2015-09-10 01:21 abma Additional Information Updated
2015-09-10 01:21 abma Additional Information Updated
2015-09-10 01:22 abma Description Updated
2015-09-10 01:22 abma Issue Revision Dropped: Description: 0003754
2015-09-10 01:23 abma Issue Revision Dropped: Description: 0003755
2015-09-10 01:23 abma Issue Revision Dropped: Additional Information: 0003749
2015-09-10 01:23 abma Issue Revision Dropped: Additional Information: 0003753
2015-09-10 01:23 abma Issue Revision Dropped: Additional Information: 0003750
2015-09-10 01:23 abma Issue Revision Dropped: Additional Information: 0003751
2015-09-10 01:23 abma Issue Revision Dropped: Additional Information: 0003752
2015-09-10 15:31 abma Note Added: 0015141
2015-09-10 15:39 abma Changeset attached => spring develop 002857ee
2015-09-10 15:39 abma Note Added: 0015142
2015-09-10 15:39 abma Assigned To => abma
2015-09-10 15:39 abma Status new => resolved
2015-09-10 15:39 abma Resolution open => fixed
2015-09-10 16:05 hokomoko Note Added: 0015143
2015-09-10 16:05 hokomoko Status resolved => feedback
2015-09-10 16:05 hokomoko Resolution fixed => reopened
2015-09-10 16:07 jK Changeset attached => spring develop 08ee5572
2015-09-10 16:07 jK Note Added: 0015144
2015-09-10 16:07 jK Assigned To abma => jK
2015-09-10 16:07 jK Status feedback => resolved
2015-09-10 18:46 abma View Status private => public
2015-09-10 20:06 abma Note Added: 0015146
2015-09-10 20:06 abma Severity major => feature
2015-09-10 20:06 abma Status resolved => new
2015-09-11 00:07 silentwings Note Added: 0015147
2015-09-11 00:29 abma Note Added: 0015148
2015-09-11 00:29 Jools Note Added: 0015149
2015-09-11 00:31 Jools Note Added: 0015150
2015-09-11 10:25 abma Note Added: 0015151
2015-09-11 17:53 abma Changeset attached => spring develop 073afd36
2015-09-11 17:53 abma Note Added: 0015153
2015-09-11 17:53 abma Assigned To jK => abma
2015-09-11 17:53 abma Status new => resolved
+Issue History