exploit fix, electric boogaloo : canister edition #5068
Conversation
024a0ba removed the exploit protection of canisters without replacement, this commit fixes that. without this, anybody can open/close valves and all other forms of messing with any canister from anywhere. ALWAYS keep in mind, NanoUI will update the fancy buttons CLIENTSIDE, that does NOT protect against exploits ! the actual buttonpush can still be spoofed to the server even if NanoUI disabled/hid/greyed-out/removed the button !
|
the same goes for non-NanoUI, standard html buttons/windows too, btw |
|
👍 |
exploit fix, electric boogaloo : canister edition
| if (!istype(src.loc, /turf)) | ||
| return 0 | ||
|
|
||
|
|
||
| if(!usr.canmove || usr.stat || usr.restrained() || !in_range(loc, usr)) // exploit protection -walter0o |
There was a problem hiding this comment.
From what I understand, Adjacent() is preferable to in_range() for mobs interacting with objects since it prevents using things through glass panels.
There was a problem hiding this comment.
Actually, ClickOn() already handles adjacency, so Adjacent() may not be necessary, except for the weird case where you open the canister dialog and then move so that there is a glass panel between you and the canister. Probably not worth worrying about.
There was a problem hiding this comment.
see my comment below, i thought i posted it in here.
|
@mwerezak , at the risk of coming off as a dick, did you not read the commit description i gave ? HTML and NanoUI windows have literally NO exploit protection potentional whatsoever, they are clientside, them hiding and adding and removing and greying out buttons is eye-candy only ! this means if you dont have the object's menu and you are laying dead on the other side of the map on another z-level, for example : you are right to argue Adjacent() might be better than in_range(), but not via ClickOn(). this commits seeks to restore a basic protection against exploiters being able to open canisters without being restricted by their distance to the object, death, handcuffs or whatever, so feel free to add more checks to those i restored or replace them with better versions, but there MUST be some in the Topic proc. again, ANY windows and buttons, HTML or NanoUI, have ZERO exploit protection potentional, do not rely on them when you deal with exploit prevention, you HAVE to do that in the Topic proc NO MATTER WHAT ! almost all exploits i ever saw stem from devs not being regorous with this and failing to doublecheck other devs work. |
wooden walls
024a0ba removed the exploit protection of canisters without replacement, this commit fixes that.
without this, anybody can open/close valves and all other forms of messing with any canister from anywhere.
ALWAYS keep in mind, NanoUI will update the fancy buttons CLIENTSIDE, that does NOT protect against exploits !
the actual buttonpush can still be spoofed to the server even if NanoUI disabled/hid/greyed-out/removed the button !