[ALL] Restore ent_fire functionality while still blocking harmful commands#1819
[ALL] Restore ent_fire functionality while still blocking harmful commands#1819YourSourceBoiii wants to merge 3 commits intoValveSoftware:masterfrom
Conversation
| if ( command.ArgC() >= 3 ) | ||
| { | ||
| action = STRING( AllocPooledString(command.Arg( 2 )) ); | ||
| if (StringHasPrefix(action, "command")) //Block players misusing point_servercommand |
There was a problem hiding this comment.
Any measures like this are useless because they can be bypassed by other commands like ent_create
There was a problem hiding this comment.
If a server has sv_cheats 1 and either has sv_allow_point_servercommand always or is running a map made by Valve, it's currently possible to execute arbitrary server commands regardless of any of these protections. I won't share the method, but it's not difficult.
If you absolutely need to enable sv_cheats on a public server, you should use a server plugin that fully blocks any dangerous cheat commands such as ent_create and ent_fire (example here in ficool2's tf2ware mod).
|
You can already use ent_fire command with full functionality, can't you? Run the status command in the console to find your client ID, for example: then run and the command’s functionality will be restored. |
|
@kuninyao I guess that would work for listen servers, didn't think about that. Would still be nice if Volvo could fix it so that it works by default for both listen and dedicated servers while still blocking misuse |
4 participants
Currently, the ent_fire console command is only allowed to be used listen server hosts.
There is a large comment in the SDK explaining that this was done because otherwise it could be used by anyone to run any command on a
sv_cheats 1server using thecommandinput on a point_servercommand entity. Players could use this to change the rcon password and grief servers. Supposedly, there would be no way to avoid this misuse as the point_servercommand entity can be renamed and the input can be sent with a delay.The person who made that change seems to have not realized that you can simply check if the input of an ent_fire is
commandor not, and avoid the event from being created if it is. Doing this would be far less restrictive and still allow players to play around withsv_cheats 1without being able to change the rcon password.It would be a godsend for scripting / sv_cheats 1 servers (which I still regularly encounter in HL2DM and HLDMS) and restore much of the fun that was lost due to this change