Page 7 of 11

Re:

Posted: Tue Oct 16, 2007 7:13 pm
by John Preston
Gamall wrote:Since it was so easy (exactly 3 lines of code to add ;) ) I made the 1.0f version:
-> Names such as "**Spamzor" are automatically converted to "* Spamzor", so the display bug cannot be exploited anymore.
Replace a "space" with a "dot", please.
**Spamzor -> *.Spamzor

And some new suggestions:
* Unlock base emotes (meditate, bow etc) in all gametypes (or in FFA). CVARable )

* Change private chat color to yellow or make it CVARble (ga_PrivateChatColor (0-9), 6-default)

* Change /t(ime) cmd:
^7Server Time:
^5Oct 16 2007 12:00:00

* Unlock CVAR r_we (weather effects)

* Make CVAR ga_PrivateDuelMusic (1-on (def), 0 - off). Sometimes its realy disturb :)

To be continued...

Re: Re:

Posted: Tue Oct 16, 2007 7:35 pm
by cybermaniac
John Preston wrote:
Gamall wrote:Since it was so easy (exactly 3 lines of code to add ;) ) I made the 1.0f version:
-> Names such as "**Spamzor" are automatically converted to "* Spamzor", so the display bug cannot be exploited anymore.
Replace a "space" with a "dot", please.
**Spamzor -> *.Spamzor

And some new suggestions:
* Unlock base emotes (meditate, bow etc) in all gametypes (or in FFA). CVARable )

* Change private chat color to yellow or make it CVARble (ga_PrivateChatColor (0-9), 6-default)

* Change /t(ime) cmd:
^7Server Time:
^5Oct 16 2007 12:00:00

* Unlock CVAR r_we (weather effects)

* Make CVAR ga_PrivateDuelMusic (1-on (def), 0 - off). Sometimes its realy disturb :)

To be continued...

tbh u might as well go JA+ for most of those things as they aren't really useful for admins - more of a messaround type thing...

also i have a feeling that the chat is actually hard coded.

Re: Re:

Posted: Tue Oct 16, 2007 7:54 pm
by John Preston
cybermaniac
oh...
please, dont post here, if u've nothing usefull to say :fear

they aren't really useful for admins

lol, what about players? they needs fun, sometimes...

also i have a feeling that the chat is actually hard coded.

bad feeling, dude.

Re: Re:

Posted: Tue Oct 16, 2007 8:06 pm
by cybermaniac
John Preston wrote:cybermaniac
oh...
please, dont post here, if u've nothing usefull to say :fear

they aren't really useful for admins

lol, what about players? they needs fun, sometimes...

also i have a feeling that the chat is actually hard coded.

bad feeling, dude.

well, you realise that this mod was initially designed ("gamall: These features are on the very edge of being "admin" features, rather than security fixes.") as a security mod. Not as a JA+ replacement. Again that is down to Gamall, however, if you read approx 15 posts from bottom on first page, you will see that admin/player things were thought about but not implemented.


and on the chat thing, i was merely going by the comment made by gamall ("on the other hand, the /svsay command can't be altered, as it is hard coded into jampded instead of jampgame."), if i'm wrong then i'm wrong, unlike some i admit any mistakes i make :)

I'm not one to argue, but seems you didn't quite have anything useful to say on your last post, so please don't be so hypocritical.

If you want "fun" as you call it, thats what JA+ is for, has less to do with the game than actually mess around with settings and admin abuse.


On a seperate note, the new mod is running in linux and thus far is working fine with no problems.

Re: BaseJKA Security Fix

Posted: Wed Oct 17, 2007 4:22 pm
by Gamall
Features requests are locked for 1.1, and I'll only write a 1.1+ if I hear of another security exploit on the jampgame component.

Also keep in mind that:
  • I haven't much free time this year, and I have many other more interesting projects to spend it on.
  • I don't even play that game anymore. In fact, I stopped playing it when I started writing programs for it ;)
Since I'll release the source code for 1.1 under the GPL, you'll be free to add that kind of things yourself, it really does not take a rocket scientist, all it takes is time and motivation, and I've run short of both.

Some comments:
John Preston wrote: Unlock base emotes (meditate, bow etc) in all gametypes (or in FFA). CVARable )
I've no idea why my mod disables them, and haven't looked it up.
John Preston wrote:* Change private chat color to yellow or make it CVARble (ga_PrivateChatColor (0-9), 6-default)
Doable. Not sure whether the color is hardcoded into jampded or not, but the chat string can be altered by jampgame, and therefore a color can be added.
John Preston wrote:* Make CVAR ga_PrivateDuelMusic (1-on (def), 0 - off). Sometimes its realy disturb
Unless I'm mistaken, you can't do that in a serv-side mod. You'd need a client plugin for that.

Other suggestions are all doable. But not by me for the aforementioned reasons :langue
John Preston wrote:please, dont post here, if u've nothing usefull to say
That kind of remark is not yours to make, thanks. Keep cool. I'll just assume you were having a very bad day...
cybermaniac wrote:well, you realise that this mod was initially designed ("gamall: These features are on the very edge of being "admin" features, rather than security fixes.") as a security mod. Not as a JA+ replacement. Again that is down to Gamall, however, if you read approx 15 posts from bottom on first page, you will see that admin/player things were thought about but not implemented.
Exact.

My concern was with DoS (== server-crashing) attacks, and from that point of view the mod was complete from the very first version, insofar as every vulnerability of the jampgame component known to me was fixed. I made some random alterations here and there because it was fun and I'd nothing better to do, and/or because I was kindly asked to, but it never was the primary goal of my mod.

I don't have either time or will to do this anymore. I'll only resume work if I hear of a new DoS attack targeting jampgame.
cybermaniac wrote:and on the chat thing, i was merely going by the comment made by gamall ("on the other hand, the /svsay command can't be altered, as it is hard coded into jampded instead of jampgame."), if i'm wrong then i'm wrong, unlike some i admit any mistakes i make
It is sometimes hard to guess where the features are coded. \say and \tell, as well as the dedicated server say (/say from a server console) are part of jampgame (ie. open-source), while /svsay is part of jampded (closed-source). That does not make much sense to me, but that's the way it is. The only way to know is to wade in the code :?
cybermaniac wrote:On a seperate note, the new mod is running in linux and thus far is working fine with no problems.
Good. As soon as I get some free time I'll test/fix the invisible skin thingy, wrap this up and move on.

Re: BaseJKA Security Fix

Posted: Sat Oct 20, 2007 8:23 pm
by Gamall
Well, I have tested the "invisible skin" exploit, and it is quite funny but not a critical bug at all.

The skin is just silver or headess, but it does not really make anyone "invisible" :D

Re: BaseJKA Security Fix

Posted: Sat Oct 20, 2007 8:30 pm
by cybermaniac
however - on hoth - there IS an invisible skin problem - basically if u get into atst and reconnect.....you become invisible....

Re: BaseJKA Security Fix

Posted: Sat Oct 20, 2007 8:52 pm
by Gamall
Very strange, I'd have absolutely no idea how to fix that :? Every info is supposed to be cleaned when you reconnect...

Anyway, the 1.1 build is already done for win and linux, and I'm currently documenting and packing everything.

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 1:50 am
by John Preston
Gamall wrote:Well, I have tested the "invisible skin" exploit, and it is quite funny but not a critical bug at all.

The skin is just silver or headess, but it does not really make anyone "invisible" :D
try

Code: Select all

jedi_hm/model_siege|torso_a1|lower_a1

Code: Select all

jedi_hm/model_default|torso_a1|lower_a1
only lower is visible.

I forget some other bugs:
* Timelimit value during voting. (-9999999999 value is crashing a server. Disable minus ).
* map_restart value during voting. (-9999999999 or 9999999999 values are blocking duel servers with fraglimit 1 (next raund after voting will blocked with centralscreen connection problem message . Limit value (0-min;60-max).
and sugg's:
* add cvar ga_VoteTimer to prevent votespam.

Its enough for today, i think.

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 1:56 am
by cybermaniac
in addition to john preston's post, might be nice IF there was an admin cancelvote command?

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 11:08 am
by Gamall
Er... did you completely miss the first part of that post ? viewtopic.php?p=3543#p3543 :?

I am done with 1.1 for now, it is already packed ! Once released, it will disappear from my (non-exhaustive) projects list, unless a security exploit is found. (or a big bad bug in my own code)

Again, I have a job, and a very limited amount of free time. I simply can't spend it all fixing an endless stream of minor bugs. This is why I am releasing the source code. So if you need something minor (ie. not crashing the serv) done, you can do it yourself quickly rather than waiting for months for me to find time to do it.
John Preston wrote:* Timelimit value during voting.... crashing server
This looks almost like a security risk however. :? I'll look into it next weekend, but I'm releasing 1.1 now anyway. Else we'll all be old before anything actually gets released ;)

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 1:48 pm
by Gamall
Version 1.1 and source code out, first post updated.

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 7:21 pm
by cybermaniac
sorry for the ingnorance here, but how would i set the server to write to "ga_ConnectLog.txt"?

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 8:02 pm
by Gamall
You don't, it does it automatically :?

The writing is 'buffered', however, so it won't write anything to file until there is enough material. So if you just set up a test server and connect to it, the log won't appear to be updated. In fact it will be, but you need several connections before the buffer is filled and things written down ; meanhile, they stay in memory.

All logs in JKA are buffered. This is done for performance reasons, since writing to files is relatively slow compared to memory access.

It may not be such a good idea for the connect log though, since it would only be written to every Connect(), which is not much. :?

Re: BaseJKA Security Fix

Posted: Sun Oct 21, 2007 8:13 pm
by cybermaniac
might be useful for monitoring reasons (eg, xx connections per month? :P)