Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes negative payment in NTpay & Encodes name param sent to admins in fax #71491

Merged
merged 7 commits into from Nov 24, 2022
Merged

Fixes negative payment in NTpay & Encodes name param sent to admins in fax #71491

merged 7 commits into from Nov 24, 2022

Conversation

ghost
Copy link

@ghost ghost commented Nov 24, 2022
edited by ghost

About The Pull Request

NTpay wasn't validating negative input serverside, allowing for negative payment to users(Negative - Negative = Positive, so it adds money to the senders account.) Also encodes a parameter that was sent unsanitized to admins.

Why It's Good For The Game

Changelog

馃啈
fix: Fixes a NTPay exploit.
/:cl:

@ghost ghost requested a review from JohnFulpWillard as a code owner November 24, 2022 12:29
@tgstation-server tgstation-server added the Fix Rewrites a bug so it appears in different circumstances label Nov 24, 2022
@ghost ghost changed the title Fixes negative payment in NTpay Fixes negative payment in NTpay & Encodes name param sent to admins in fax Nov 24, 2022
@ghost ghost changed the title Fixes negative payment in NTpay & Encodes name param sent to admins in fax Fixes negative payment in NTpay & Encodes name param sent to admins in fax (Don't merge) Nov 24, 2022
@ghost ghost changed the title Fixes negative payment in NTpay & Encodes name param sent to admins in fax (Don't merge) Fixes negative payment in NTpay & Encodes name param sent to admins in fax Nov 24, 2022
@Fikou
Copy link
Member

Fikou commented Nov 24, 2022

thank you for the pr in the future can you not tell people how to do these with a fully detailed guide on how to run these exploits every round (people hijack the game by running them every round)

@Mothblocks Mothblocks mentioned this pull request Nov 24, 2022
Closed
@Mothblocks Mothblocks added Priority: High We messed up. Security I'll be honest we don't even know why we have this label labels Nov 24, 2022
@Mothblocks Mothblocks merged commit 5445de1 into tgstation:master Nov 24, 2022
@TaleStationBot TaleStationBot mentioned this pull request Nov 24, 2022
Merged
@SkyratBot SkyratBot mentioned this pull request Nov 24, 2022
Merged
comfyorange added a commit that referenced this pull request Nov 24, 2022
@comfyorange
Automatic changelog for PR #71491 [ci skip]
1244a07
github-actions bot added a commit that referenced this pull request Nov 24, 2022
@github-actions
Updating GBP balances for #71491
da228c1
@ghost
Copy link
Author

ghost commented Nov 24, 2022
edited by ghost

thank you for the pr in the future can you not tell people how to do these with a fully detailed guide on how to run these exploits every round (people hijack the game by running them every round)

I didn't expect them to exploit it. I just wanted more people to know how such an exploit could be done. Unlike hrefs very few people know how these things work, and I think it leads to UI developers not expecting these things to even be possible. I apologize.

@itsmeow itsmeow mentioned this pull request Jun 23, 2023
Merged
@itsmeow itsmeow mentioned this pull request Jul 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohnFulpWillard JohnFulpWillard Awaiting requested review from JohnFulpWillard JohnFulpWillard is a code owner

Assignees
No one assigned
Labels
Fix Rewrites a bug so it appears in different circumstances Priority: High We messed up. Security I'll be honest we don't even know why we have this label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Fikou @tgstation-server @Mothblocks