How come owners still have sv_allowupload/download enabled?

Solved. Lock this please.

the exploit was fixed a while back

[editline]17th May 2015[/editline]


Allowupload allows sprays to be, well sprayed.

Are you so sure of that?

well no one else has complained in a real long time so yeah, plus they aren’t having issues are they?

Maybe Garry should be aware it’s still just as possible as it was?? This could be a big problem for bigger communities

(Granted I tested the script on a vanilla TTT server but it would in fact pull files from any server having it still enabled.)

garry also doesn’t work on gmod anymore

you should bitch to robotboy

I don’t know wtf anyone does anymore. Alright I’ll let him know. Thanks

Dude, doing what you’re doing doesn’t need sv_allowdownload/allowupload to be enabled at all

sv_allowupload is needed to upload the spray to the server.
sv_allowdownload downloads the sprays to each client.

You need both in order to see everyone’s sprays. As far as I know it has been patched.

@Im-Friendly yes it does, how else would he be able to download the server files without using some kind of new exploit nobody knows about.

For the sake of everyone’s sanity, please don’t completely edit out the OP like that. Now even if this does pertain to someone else we have no fucking idea what the issue might of been or what exploit it might of been related to.

Your screenshot appears to be a dump of Lua that has been executed on your client. The sv_allowdownload/sv_allowupload ConVars aren’t related.

Being able to view clientside and shared Lua from a server has always been possible and will always be possible. You can’t fix it.

Although you should keep these disabled anyway. Sure the recent extremely public one was fixed, but how many times over the past few years has a new exploit been found that is blocked by disabling those?

like 10

My point exactly, the chances of another one being found isn’t exactly slim.

there really is no reason to enable sv_allowblah

Your addon is neat but the fact that a player would need to give a url to their spray is an inconvenience many would find annoying enough to warrant enabling sv_allowwhatever.

that’s way more convenient than choosing a local file with super-specific filesize/type/dimension limitations

what are you smoking

I think I would rather the fact of a URL and not being Hacked…