[QUOTE=FPtje;16286241]There already is a blacklist, the one in RunConsoleCommand.
Garry could easilly use that and put some time in finding new exploitable commands to block.
This whitelist just breaks too much.
You're acting like the majority of the existing console commands can be used malicious. This can not be true.[/QUOTE]
It breaks like 4 fucking commands, fuck me, get over it. I've whitelisted them in the next update.
[QUOTE=TeamReality;16288676]Why can't you make a blacklist (that only includes bind and some other commands) of commands in clientside file in the cfg/ folder...[/QUOTE]
Because funnily enough, a lot of exploits are designed to write files to the user's computer, or change existing ones. Like, perhaps, that file.
[QUOTE=garry;16288696]It breaks like 4 fucking commands, fuck me, get over it. I've whitelisted them in the next update.[/QUOTE]
Is it wrong to say i love you garry?
[QUOTE=Lexic;16288754]Because funnily enough, a lot of exploits are designed to write files to the user's computer, or change existing ones. Like, perhaps, that file.[/QUOTE]
Garry should think about fixing more serious exploits instead of client's keys being rebinded by server, which generally any Source server can do.
[QUOTE=TeamReality;16288779]Garry should think about fixing more serious exploits instead of client's keys being rebinded by server, which generally any Source server can do.[/QUOTE]
I'm fairly sure he fixes them as soon as people deign to tell him about them.
And before you say that he should go hunting for them, he seems to spend most of his time working on his new engine, I'd far prefer that he spent the time he works on gmod fixing other bugs and adding new features [url=http://getsatisfaction.com/facepunch/products/facepunch_garry_s_mod]as requested/reported on the shiny new 2.0 website[/url] than rooting through the code to find exploits that may or may not exist.
[QUOTE=TeamReality;16288779]Garry should think about fixing more serious exploits instead of client's keys being rebinded by server, which generally any Source server can do.[/QUOTE]
The key binding IS the most serious exploit THAT I KNOW ABOUT right now.
Plus the whole point of this update is to bring it inline with ALL OTHER SOURCE SERVERS since all Valve games have this shit set by default.
Fuck Lua Injections
[QUOTE=garry;]It breaks like 4 fucking commands,[b]fuck me[/b], get over it. I've whitelisted them in the next update.[/QUOTE]
I have waited for this moment for a while.
[QUOTE=garry;16288696]It breaks like 4 fucking commands, fuck me, get over it. I've whitelisted them in the next update.[/QUOTE]
Calm down Garry, I hope that update is quick. Current update breaks my player possesor and the remake of it.
Are you sure you've included the movement commands?
All Lua generated commands automatically have that flag right? So making someone run gm_spawn would still work?
Or making a play select a tool?
are quit/connect/disconnect/retry going to be in the whitelist? I understand if they won't, It is damn annoying if it happens to you.
Are you going to fix the player:SendLua([[RunConsoleCommand(<command>)]]) thing?
gm_spawn is serverside. No those commands are't in the whitelist.
Fix what?
[QUOTE=garry;16301373]gm_spawn is serverside. No those commands are't in the whitelist.
Fix what?[/QUOTE]
Fix that people can get around the ply:ConCommand whitelist by simply sending some Lua to the client to run the command through RunCocnsoleCommand.
To which I re-iterate and re-form my request: Can you please make a blockedcommands.cfg file in the cfg folder which allows clients to specify additional commands they do not wish run through LocalPlayer():ConCommand() and RunConsoleCommand().
[QUOTE=Lexic;16301392]Fix that people can get around the ply:ConCommand whitelist by simply sending some Lua to the client to run the command through RunCocnsoleCommand.
To which I re-iterate and re-form my request: Can you please make a blockedcommands.cfg file in the cfg folder which allows clients to specify additional commands they do not wish run through LocalPlayer():ConCommand() and RunConsoleCommand().[/QUOTE]
That's rather ridiculous in concept when someone scripts with the assumption all clients can or can't run the same commands.
[QUOTE=garry;16301373]gm_spawn is serverside. No those commands are't in the whitelist.
Fix what?[/QUOTE]
Well you say the "quit" command will not be in the blacklist, right?
So this will not work:
[lua]player:ConCommand("quit")[/lua]
But what happens when you try this:
[lua]player:SendLua("RunConsoleCommand('quit')")[/lua]
It would still work since the client executes it.
where can we view this 'whitelist' and its progress, and possibly make suggestions? seperate thread much?
[QUOTE=FPtje;16301506]Well you say the "quit" command will not be in the blacklist, right?
So this will not work:
[lua]player:ConCommand("quit")[/lua]
But what happens when you try this:
[lua]player:SendLua("RunConsoleCommand('quit')")[/lua]
It would still work since the client executes it.[/QUOTE]
Isn't quit one of the original blacklisted commands so it wouldn't?
no it isn't in the original blacklist
By the way why did
[lua]ply:ConCommand("disconnect")[/lua] just work on my listen server?
[QUOTE=FPtje;16302985]no it isn't in the original blacklist
By the way why did
[lua]ply:ConCommand("disconnect")[/lua] just work on my listen server?[/QUOTE]
According to AzuiSleet, listen servers use a loopback, so in theory that is being executed on the server.
And:
[code]
] lua_run_cl RunConsoleCommand("quit")
RunConsoleCommand: Command is blocked! (quit)[/code]
Ok quit is blocked
Let me explain it this way(done on dedi server)
on server: (Player(2) is me)
[lua]Player(2):ConCommand("+forward")[/lua]
On client:
[code]FCVAR_SERVER_CAN_EXECUTE prevented server running command: +forward[/code]
Normal. The console command is blocked. Works like a charm.
But then I do this:
Server:
[lua]lua_run Player(2):SendLua([[RunConsoleCommand("+forward")]])[/lua]
Client:
*walks forward*
Edit:
in other words I've got a fix for the whiteflag system:
[lua]
local PLAYER = FindMetaTable("Player")
function PLAYER:ConCommand(...)
self:SendLua("LocalPlayer():ConCommand(\"" .. table.concat(arg, " ").."\")")
end[/lua]
Thanks to lexic for this original idea.
[QUOTE=FPtje;16303101]Ok quit is blocked
Let me explain it this way(done on dedi server)
on server: (Player(2) is me)
[lua]Player(2):ConCommand("+forward")[/lua]
On client:
[code]FCVAR_SERVER_CAN_EXECUTE prevented server running command: +forward[/code]
Normal. The console command is blocked. Works like a charm.
But then I do this:
Server:
[lua]lua_run Player(2):SendLua([[RunConsoleCommand("+forward")]])[/lua]
Client:
*walks forward*[/QUOTE]
-snip-
Didn't see Lexi's idea.
[QUOTE=FPtje;16302985]no it isn't in the original blacklist
By the way why did
[lua]ply:ConCommand("disconnect")[/lua] just work on my listen server?[/QUOTE]
I noticed, listenservers do not block blacklisted commands. At least it was so when I checked it half a year ago or so.
[QUOTE=FPtje;16301506]Well you say the "quit" command will not be in the blacklist, right?
So this will not work:
[lua]player:ConCommand("quit")[/lua]
But what happens when you try this:
[lua]player:SendLua("RunConsoleCommand('quit')")[/lua]
It would still work since the client executes it.[/QUOTE]
I'm trying to block EVERY COMMAND.
I'm using Valve's system. It's already coded and safe. I don't have to do anything. I'm not using it to block commands like quit. I'm using it to block commands that are already blocked under RunConsoleCommand.
Any useful commands that aren't encouraging LAZY, SLOPPY CODING will be UNBLOCKED.
[QUOTE=garry;16303899]I'm trying to block EVERY COMMAND.
I'm using Valve's system. It's already coded and safe. I don't have to do anything. I'm not using it to block commands like quit. I'm using it to block commands that are already blocked under RunConsoleCommand.
Any useful commands that aren't encouraging LAZY, SLOPPY CODING will be UNBLOCKED.[/QUOTE]
Oh you mean that there will be way more whitelisted commands? and that the ones that are not in the whitelist are about the same as the one that are in the RunConsoleCommand blacklist?
FCVAR_SERVER_CAN_EXECUTE prevented server running command: SchoolMe
Made me smirk.
[QUOTE=Python1320;16304480]FCVAR_SERVER_CAN_EXECUTE prevented server running command: SchoolMe
Made me smirk.[/QUOTE]
Heh. That is funny.
DUDE! he blocked HLDJ and HLSS too!
"Disabled because it ' s super annoying"
Is there a serverside command to turn this block off?
Not everyone thinks this is annoying. I would like to show other people some music in my listen server.
[QUOTE=FPtje;16309703]DUDE! he blocked HLDJ and HLSS too!
"Disabled because it ' s super annoying"
Is there a serverside command to turn this block off?
Not everyone thinks this is annoying. I would like to show other people some music in my listen server.[/QUOTE]
Damn. Thats annoying.
[QUOTE=FPtje;16309703]DUDE! he blocked HLDJ and HLSS too!
"Disabled because it ' s super annoying"
Is there a serverside command to turn this block off?
Not everyone thinks this is annoying. I would like to show other people some music in my listen server.[/QUOTE]
Last time I checked, GMOD wasn't made to show people music.
[quote=FPtje]DUDE! he blocked HLDJ and HLSS too!
"Disabled because it ' s super annoying"
Is there a serverside command to turn this block off?
Not everyone thinks this is annoying. I would like to show other people some music in my listen server.
[/quote]
toggle voice_inputfromfile
[QUOTE=victormeriqui_1;16315951]toggle voice_inputfromfile[/QUOTE]
The convar has been completely removed. It doesn't even exist anymore after tonight's update.
[QUOTE=FPtje;16309703]DUDE! he blocked HLDJ and HLSS too!
"Disabled because it ' s super annoying"
Is there a serverside command to turn this block off?
Not everyone thinks this is annoying. I would like to show other people some music in my listen server.[/QUOTE]
I feel your pain ;_;
Garry apparently thinks anyone who has hlss/dj is a micspamming 10year old.
Sorry, you need to Log In to post a reply to this thread.
