[QUOTE=FPtje;16282009]Why not make a blacklist instead of a whitelist?
I mean, the commands that have to be blocked are bind, unbind togglebind and that kind of shit.[/QUOTE]
There are a surprisingly large number of seemingly innocent commands in source that end up doing the most terrible things.
[QUOTE=FPtje;16282009]Why not make a blacklist instead of a whitelist?
I mean, the commands that have to be blocked are bind, unbind togglebind and that kind of shit.[/QUOTE]
Ask Valve, all he did was turn on a mechanism Valve created.
[QUOTE=Python1320;16281687]
You get the idea even if you don't use ULX. It's quite helpful.[/QUOTE]
Cookie for you.
[QUOTE=AzuiSleet;16282210]Ask Valve, all he did was turn on a mechanism Valve created.[/QUOTE]
This is bullshit.
Can't he make his own "server_cant_run" flag?
And then give that flag to every command that's blocked by default in RunConsoleCommand?
[QUOTE=blackops7799;16268937]I'm actually really starting to like this update. Bahahaha.
[url]http://img.imagedash.com/lWTK.jpg[/url][/QUOTE]
[url=www.facepunch.com]Fucking incredible[/url].
Anyway, it is depressing that anyone now can change his name again. I felt so "unique" with my namechanger. Now anyone can change names :).
Just a casual idea, doesn't technically solve the problem. Is there anyway we could have a checkbox or toggle when starting a server, or perhaps a line in the server.cfg file that allows us to turn this whole problem on or off? Alongside a warning message when you enter, or a little icon next to the server alongside the 'server is passworded' padlock that tells clients whether the server is going to be able to fuck with them or not? then it's their decision, Garry and co. get their little update working for those who want it, and Us who dont (I myself just run a little funserver for friends, and this is messing up our admin tool) can then carry on as normal?
Obviously that would have to be a seperate update, but hopefully you see what I'm getting at, and we can get some1 to make it happen. I'm not sure if its possible to code or not, but worth a shot...
[QUOTE=Lexic;16281650]That's not valid Lua.[/QUOTE]
IT was an example im not gonna give you the code..
[QUOTE=ecabc;16284754]IT was an example im not gonna give you the code..[/QUOTE]
You can't use escape codes in RunConsoleCommand.
[QUOTE=FPtje;16282009]Why not make a blacklist instead of a whitelist?
I mean, the commands that have to be blocked are bind, unbind togglebind and that kind of shit.[/QUOTE]
Why not make a whitelist instead of a blacklist?
[QUOTE=garry;16284897]Why not make a whitelist instead of a blacklist?[/QUOTE]
whitelist power!
[QUOTE=garry;16284897]Why not make a whitelist instead of a blacklist?[/QUOTE]
Because with a whitelist you will block commands that don't need to be blocked, like "say" is right now.
The best thing to do would be getting the blocked console commands(the ones that are blocked in RunConsoleCommand) and give those the "server_can_not_execute" flag.(whatever you want to call that flag)
[QUOTE=FPtje;16286089]Because with a whitelist you will block commands that don't need to be blocked.[/QUOTE]
With a whitelist garry doesn't have to search for every possibly malicious command.
[QUOTE=Skondra;16286172]With a whitelist garry doesn't have to search for every possible malicious command.[/QUOTE]
With a blacklist Garry doesn't get moaning about "WHY ISN'T THIS COMMAND IN THE WHITELIST".
I do believe there are more non-malicious commands than malicious.
RunConsoleCommand has a blacklist so I don't see why this should have a whitelist. A whitelist has a much bigger chance of breaking addons/gamemodes.
[QUOTE=Skondra;16286172]With a whitelist garry doesn't have to search for every possibly malicious command.[/QUOTE]
We are trying to play the game by the way. Have fun in your faraday cage.
EDIT: Wow, I just broke my personal record in the negativeness of a message.
[QUOTE=FPtje;16286191]With a blacklist Garry doesn't get moaning about "WHY ISN'T THIS COMMAND IN THE WHITELIST".
I do believe there are more non-malicious commands than malicious.
RunConsoleCommand has a blacklist so I don't see why this should have a whitelist. A whitelist has a much bigger chance of breaking addons/gamemodes.[/QUOTE]
People have found new malicious commands numerous times and garry is probably sick of it.
The only complaint I have with this is people are now going to be using BroadcastLua or SendLua to do these, so in the end you've accomplished nothing by blocking them from the server.
Unless they're running a script like ( I think it was his ) CatDaemon's concommand blocker that allowed the local player to choose to run a command or not, wherein the client just became a lot more secure.
[QUOTE=ecabc;16284754]IT was an example im not gonna give you the code..[/QUOTE]
An example of what? You gave some code that wouldn't have worked even if all the idiotic nested strings and missplaced characters were fixed.
There already is a blacklist, the one in RunConsoleCommand.
Garry could easilly use that and put some time in finding new exploitable commands to block.
This whitelist just breaks too much.
You're acting like the majority of the existing console commands can be used malicious. This can not be true.
[QUOTE=FPtje;16286241]There already is a blacklist, the one in RunConsoleCommand.
Garry could easilly use that and put some time in finding new exploitable commands to block.
This whitelist just breaks too much.
You're acting like the majority of the existing console commands can be used malicious. This can not be true.[/QUOTE]
Do you really expect garry to find every exploitable command there is? And what do you mean by 'too much'? The majority of it is fixable with very little effort.
The first implementation may not be perfect but in the end a white list and a blacklist do the exact same thing. The only difference is the white list is shorter. If you're asking for a blacklist well the exact same commands would be blocked.
[QUOTE=Skondra;16286301]Do you really expect garry to find every exploitable command there is? And what do you mean by 'too much'? The majority of it is fixable with very little effort.[/QUOTE]
Too much addons/gamemodes. Really a blacklist is better:
- there already is a blacklist, in RunConsoleCommand.
- way less chance of breaking mods
- way less chance of blocking commands that don't need to be blocked
- It is not effective since "unknown malicious commands" that [b]are[/b] blocked in that whitelist can still be sent through SendLua and RunConsoleCommand!
The main reason why this is made was to prevent servers from binding people's keys. That's the biggest problem, at this moment, Garry's update is more annoying than the malicious scripts that bind your keys!
[editline]07:00PM[/editline]
[QUOTE=Crazy Quebec;16286333]The first implementation may not be perfect but in the end a white list and a blacklist do the exact same thing. The only difference is the white list is shorter. If you're asking for a blacklist well the exact same commands would be blocked.[/QUOTE]
This is incorrect, with so many commands that exist in source it's almost impossible to make a whitelist the same as a blacklist.
[b]Besides[/b]
All those "undiscovered malicious commands that aren't in the RunConsoleCommand blacklist" you're talking about right?
The whitelist would absolutely have [b]no[/b] effect on them since you can use SendLua and RunConsoleCommand these "unknown malicous commands"!!
Garry would [b]still[/b] have to find those malicious commands to block them in RunConsoleCommand too!
[QUOTE=Kogitsune;16286217]The only complaint I have with this is people are now going to be using BroadcastLua or SendLua to do these, so in the end you've accomplished nothing by blocking them from the server.
Unless they're running a script like ( I think it was his ) CatDaemon's concommand blocker that allowed the local player to choose to run a command or not, wherein the client just became a lot more secure.[/QUOTE]
I agree you are accomplishing nothing except making coders use bad code to do the same thing.
I think all this can be solved for both parties, by having the option to activate it or not, and letting clients know that it is active or not on whatever server they are on (to get round the 'legal' stuff if you see what i'm saying)
[QUOTE=GLaDOS MkII;16287886]I think all this can be solved for both parties, by having the option to activate it or not, and letting clients know that it is active or not on whatever server they are on (to get round the 'legal' stuff if you see what i'm saying)[/QUOTE]
stupid idea
by the time the player knew they would already be ingame and thus the scripts that rebind ran
not if it has an icon on the server menu. like where the padlock is, to show the server is passworded. just another one there.
[QUOTE=GLaDOS MkII;16288129]not if it has an icon on the server menu. like where the padlock is, to show the server is passworded. just another one there.[/QUOTE]
And someone with the intent of being annoying makes a module that forces it to show that it's "safe" when it really isn't safe.
[QUOTE=GLaDOS MkII;16288129]not if it has an icon on the server menu. like where the padlock is, to show the server is passworded. just another one there.[/QUOTE]
The people stupid enough to go into a 50/10 sandbox server are those stupid enough to go into servers with this protection off.
If Garry whitelists enough commands it'll work fine, so there's no need for turning it off.
[editline]07:38PM[/editline]
[QUOTE=Kogitsune;16288360]And someone with the intent of being annoying makes a module that forces it to show that it's "safe" when it really isn't safe.[/QUOTE]
This too. :v:
ok, this is true, but then technically any answer, is not the answer, rendering this entire thread, and many others useless. Thats going to be the case with ALOT of things. Now sure, it probably will happen, but what would honestly be the point? The only people interested in that are going to be the 10yr olds who got us into this mess in the first place.
[QUOTE=GLaDOS MkII;16288507]ok, this is true, but then technically any answer, is not the answer, rendering this entire thread, and many others useless. Thats going to be the case with ALOT of things. Now sure, it probably will happen, but what would honestly be the point? The only people interested in that are going to be the 10yr olds who got us into this mess in the first place.[/QUOTE]
You've got to be kidding me. I've been further even more decided to use even go need to do look more as anyone can. Can you really be far even as decided half as much to use go wish for that? My guess is that when one really been far even as decided once to use even go want, it is then that he has really been far even as decided to use even go want to do look more like. It's just common sense.
Why can't you make a blacklist (that only includes bind and some other commands) of commands in clientside file in the cfg/ folder...
Sorry, you need to Log In to post a reply to this thread.
