Massive patch: server-side player authentication

Dwachs · January 14, 2012, 08:12:00 PM

Currently, passwords are checked locally on the client. Thus, an evil client can modify the code, and disturb other players in network mode.

The patch addresses this. Now passwords are checked only on server. The server sends the result of the check back to the client. The server also checks if a certain client can act as a given player. If passwords are emptied (changed) then all clients are allowed (disallowed) to act as this player.

This also implies that the result of any tool (wkz_*) should not depend on the local spieler_t::is_locked() state, as this can be modified on clients. Then actions that require that public player is unlocked have to be handled differently, as only the server can make the lock/unlock check. This affects the 'create new player' command (when activating an AI player) and 'toggle freeplay'. For the same reasons, I deactivated the map-lock tool in network games.

prissi · January 14, 2012, 10:22:05 PM

Very good, this was needed for quite some time.

Dwachs · January 28, 2012, 09:56:47 AM

What about committing this?

Wait for an upcoming 111.1.1 release ?

prissi · January 28, 2012, 11:27:39 AM

If it works, let's put it in. I am not so well this weekend, thus not sure if I can release this weekend.

News:

Massive patch: server-side player authentication

Dwachs

prissi

Dwachs

prissi