AllowSpectatorJoin set to true (default) makes autohosts insecure

AllowSpectatorJoin set to true (default) makes autohosts insecure

Discuss development of lobby clients, server, autohosts and auto-download software.

Moderators: Moderators, Lobby Developers

Post Reply
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by abma »

@all autohosts admins:

please set AllowSpectatorJoin to false as it allows everyone to connect using any username which breaks permission checking of spads (and possible other stuff like stats on replays.springrts.com)

for some reason (which i don't really understand) its not wanted that the default value is changed to false:
https://github.com/spring/spring/commit ... dc016c85aa

this basicly applies to self-hosted games, too.

the default of AllowSpectatorJoin is true, so if you didn't change this value, your autohost is affected!

related bug reports:

https://springrts.com/mantis/view.php?id=3662
https://springrts.com/mantis/view.php?id=4949
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by abma »

Small update:

atm its not clear if spads implemented adding spectators correctly to a running game when spring is already running.
User avatar
bibim
Lobby Developer
Posts: 952
Joined: 06 Dec 2007, 11:12

Re: AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by bibim »

What is unclear exactly?
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by abma »

bibim wrote:What is unclear exactly?
it was unclear for me if specs can join when AllowSpectatorJoin is set to false as i can't test it easily / or check if an autohost has AllowSpectatorJoin disabled.
User avatar
Silentwings
Posts: 3720
Joined: 25 Oct 2008, 00:23

Re: AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by Silentwings »

They can, the BlackHoleHosts have it disabled, and specs are able to join them midgame. The name of the tag is obviously misleading for autohost owners.
User avatar
FabriceFABS
Posts: 354
Joined: 28 Jul 2010, 16:20

Re: AllowSpectatorJoin set to true (default) makes autohosts insecure

Post by FabriceFABS »

abma wrote:@all autohosts admins...
Thank you Abma for posting the message right there and on Mantis regards this problem we've both talk yesterday.
Consequent to this, a fix will be surely made.

I got some ideas with logs and the replay, but I would like to know how if it's possible, with the replay to have IP extraction from the player that abusively connect with the [ACE]YopYop_BOT account.
Post Reply

Return to “Lobby Clients & Server”