-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exploit fix, electric boogaloo : canister edition #5068
Conversation
024a0ba removed the exploit protection of canisters without replacement, this commit fixes that. without this, anybody can open/close valves and all other forms of messing with any canister from anywhere. ALWAYS keep in mind, NanoUI will update the fancy buttons CLIENTSIDE, that does NOT protect against exploits ! the actual buttonpush can still be spoofed to the server even if NanoUI disabled/hid/greyed-out/removed the button !
the same goes for non-NanoUI, standard html buttons/windows too, btw |
👍 |
exploit fix, electric boogaloo : canister edition
if (!istype(src.loc, /turf)) | ||
return 0 | ||
|
||
|
||
if(!usr.canmove || usr.stat || usr.restrained() || !in_range(loc, usr)) // exploit protection -walter0o |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I understand, Adjacent() is preferable to in_range() for mobs interacting with objects since it prevents using things through glass panels.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, ClickOn() already handles adjacency, so Adjacent() may not be necessary, except for the weird case where you open the canister dialog and then move so that there is a glass panel between you and the canister. Probably not worth worrying about.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see my comment below, i thought i posted it in here.
@mwerezak , at the risk of coming off as a dick, did you not read the commit description i gave ? HTML and NanoUI windows have literally NO exploit protection potentional whatsoever, they are clientside, them hiding and adding and removing and greying out buttons is eye-candy only ! this means if you dont have the object's menu and you are laying dead on the other side of the map on another z-level, for example : you are right to argue Adjacent() might be better than in_range(), but not via ClickOn(). this commits seeks to restore a basic protection against exploiters being able to open canisters without being restricted by their distance to the object, death, handcuffs or whatever, so feel free to add more checks to those i restored or replace them with better versions, but there MUST be some in the Topic proc. again, ANY windows and buttons, HTML or NanoUI, have ZERO exploit protection potentional, do not rely on them when you deal with exploit prevention, you HAVE to do that in the Topic proc NO MATTER WHAT ! almost all exploits i ever saw stem from devs not being regorous with this and failing to doublecheck other devs work. |
wooden walls
024a0ba removed the exploit protection of canisters without replacement, this commit fixes that.
without this, anybody can open/close valves and all other forms of messing with any canister from anywhere.
ALWAYS keep in mind, NanoUI will update the fancy buttons CLIENTSIDE, that does NOT protect against exploits !
the actual buttonpush can still be spoofed to the server even if NanoUI disabled/hid/greyed-out/removed the button !