The matter is that with proper regex and such, one can make a log parsing program that will not run into this issue. Now, I do not know of the exact ways to go about this, but many other programs parse similar logs with complete success.
On Thu, May 8, 2008 at 11:58 AM, Ronny Schedel <[EMAIL PROTECTED]> wrote: > Little mistake, you have to rename to: > > player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") (player2 "player1 > >> No, the quotes allow an user to break out the quotes, like with SQL >> injection. You can produce valid loglines, but wrong one. An example: >> >> A valid logline, without date and stuff: >> >> Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers >> "1") >> (player1 "player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") >> >> Now, let's break out the quotes. Rename to: >> >> player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " >> >> Now the logline looks like: >> >> Team "Blue" triggered "pointcaptured" (cp "2") (cpname "a") (numcappers >> "1") >> (player1 " >> player2<2><STEAM_0:0:2222><Red>") (position1 "2 2 2") ( player2 " >> player1<1><STEAM_0:0:1111><Blue>") (position1 "1 1 1") >> >> >> The line itself is valid, except the logical part: we have 1 numcappers, >> but >> 2 players in the line and a player from the Red team was able to capture >> the >> point. This case is not possible to track down by a program, because the >> logline format is valid, only the logic part is wrong. >> >> Breaking out the quotes is a common hack for SQL injection and a big >> security problem. It should be handled here like the same. >> >> This is only an example, I did not tried it out, I want to show only what >> happens if you allow every character. There are better examples to fuck up >> the logs, I am sure. >> >> Currently we have to kick all people with invalid characters in the name, >> there is no other solution yet. >> >> Best regards >> >> Ronny >> >> >>>A proper log parses will parse these log messages regardless of what >>> characters are in the name, with the possible exception of linefeeds. >>> >>> Not that valve shouldn't consider putting in restrictions, but log >>> parsers also bear a responsibility to consider all possibilities. >>> >>> - Neph >>> >>> On Thu, May 8, 2008 at 10:42 AM, Ronny Schedel <[EMAIL PROTECTED]> >>> wrote: >>>> The problem is not the stats program. Valve must fix the log entries and >>>> does not allow any character. You have also problems if Valve would >>>> allow >>>> < >>>> and > in the names. >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
