Raised This Month: $12 Target: $400
 3% 

can players exploit sourcemod with their name?


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
sukodaime
Junior Member
Join Date: May 2021
Old 06-23-2021 , 06:02   can players exploit sourcemod with their name?
Reply With Quote #1

servercommand("sm_command %s",GetClientName(client))

if they make their name something like ;quit will it work like sm_command ; then quit the console?
is it somehow possible for them to make their name like something like i mentioned above,if its possible which names are possible threat,(i am not sure but i saw something like ;/quit/ i cant exactly remember)

how can i prevent them from doing that
sukodaime is offline
Psyk0tik
Veteran Member
Join Date: May 2012
Location: Homeless
Old 06-23-2021 , 07:04   Re: can players exploit sourcemod with their name?
Reply With Quote #2

Yes, that's why you need to target them via User ID or Serial. Never target clients via their name in plugins.
PHP Code:
ServerCommand("sm_command #%i"GetClientUserId(client)); 
__________________
Psyk0tik is offline
sukodaime
Junior Member
Join Date: May 2021
Old 06-23-2021 , 20:08   Re: can players exploit sourcemod with their name?
Reply With Quote #3

Quote:
Originally Posted by Crasher_3637 View Post
Yes, that's why you need to target them via User ID or Serial. Never target clients via their name in plugins.
PHP Code:
ServerCommand("sm_command #%i"GetClientUserId(client)); 
can they exploit it with such an easy name ";quit" or they have to do more complex names?

and how can i make a plugin that says "{playernamer} Welcome !"
if we cant directly use their name

and does using printtochat bypasses that name expoit?

Last edited by sukodaime; 06-23-2021 at 20:08.
sukodaime is offline
Blinx
Senior Member
Join Date: Oct 2013
Old 06-24-2021 , 10:03   Re: can players exploit sourcemod with their name?
Reply With Quote #4

I'm not very knowledgeable about code injection but I think sm_command is your only worry since it's executing a command without any filtering as far as I know, but stuff like PrintToChat and basically every other function doesn't work like that.

As for your specific worry though, %N is a formatting thing that puts someones name into the string provided a client index, i.e.,

PrintToChat(client, "%N Welcome to the server!", client);

Hopefully someone with more indepth knowledge of sourcepawn can verify these things.
Blinx is offline
MAGNAT2645
Senior Member
Join Date: Nov 2015
Location: AlliedMods.net
Old 06-24-2021 , 11:56   Re: can players exploit sourcemod with their name?
Reply With Quote #5

It is safe to use SM's Print* functions. I know only two cases where you shouldn't use player name:
1) FakeClientCommand(Ex), ServerCommand() and ClientCommand() - use UserId instead (as said in #2).

2) SQL Queries - use Database.Format or Database.Escape to escape some symbols in player name.
__________________

Last edited by MAGNAT2645; 06-24-2021 at 11:57.
MAGNAT2645 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 20:32.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode