Little mistake, you have to rename to: player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") (player2 "player1
> No, the quotes allow an user to break out the quotes, like with SQL > injection. You can produce valid loglines, but wrong one. An example: > > A valid logline, without date and stuff: > > Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers > "1") > (player1 "player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") > > Now, let's break out the quotes. Rename to: > > player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " > > Now the logline looks like: > > Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers > "1") > (player1 " > player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " > player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") > > > The line itself is valid, except the logical part: we have 1 numcappers, > but > 2 players in the line and a player from the Red team was able to capture > the > point. This case is not possible to track down by a program, because the > logline format is valid, only the logic part is wrong. > > Breaking out the quotes is a common hack for SQL injection and a big > security problem. It should be handled here like the same. > > This is only an example, I did not tried it out, I want to show only what > happens if you allow every character. There are better examples to fuck up > the logs, I am sure. > > Currently we have to kick all people with invalid characters in the name, > there is no other solution yet. > > Best regards > > Ronny > > >>A proper log parses will parse these log messages regardless of what >> characters are in the name, with the possible exception of linefeeds. >> >> Not that valve shouldn't consider putting in restrictions, but log >> parsers also bear a responsibility to consider all possibilities. >> >> - Neph >> >> On Thu, May 8, 2008 at 10:42 AM, Ronny Schedel <[EMAIL PROTECTED]> >> wrote: >>> The problem is not the stats program. Valve must fix the log entries and >>> does not allow any character. You have also problems if Valve would >>> allow >>> < >>> and > in the names. >>> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
