2008/5/8 Ronny Schedel <[EMAIL PROTECTED]>: > No, the quotes allow an user to break out the quotes, like with SQL > injection. You can produce valid loglines, but wrong one. An example: > > A valid logline, without date and stuff: > > Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers "1") > (player1 "player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") > > Now, let's break out the quotes. Rename to: > > player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " > > Now the logline looks like: > > Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers "1") > (player1 " > player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " > player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") > > > The line itself is valid, except the logical part: we have 1 numcappers, but > 2 players in the line and a player from the Red team was able to capture the > point. This case is not possible to track down by a program, because the > logline format is valid, only the logic part is wrong. > > Breaking out the quotes is a common hack for SQL injection and a big > security problem. It should be handled here like the same. > > This is only an example, I did not tried it out, I want to show only what > happens if you allow every character. There are better examples to fuck up > the logs, I am sure. > > Currently we have to kick all people with invalid characters in the name, > there is no other solution yet.
Aha, if the player name is not the very first field on a line, you have a problem. I've only used this on CS/CSS/DOD/DODS servers so far. Is this for TF2 then? We don't have any of those running. It has been mentioned to move some of the old CS servers onto TF2 mind you. So I am sure I'll find out these perils soon enough. Umm, are the "player1" and "player2" lines after the capture on separate lines? If so it's easy to pull them out. If not... Yes, there's scope for abuse that is unavoidable I guess. _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
