[Ethorbit]

PHP Code:

#include <sourcemod>

public OnPluginStart()
{
RegConsoleCmd("sm_rtv", BlockTheseCommands);
}

public Action:BlockTheseCommands(client, args)
{
decl String:steamId[64];
GetClientAuthString(client, steamId, sizeof(steamId));
if (StrEqual(steamId, "STEAM_0:0:77919865")) {
    return Plugin_Handled;
    }
    return Plugin_Continue;
    }
} 


All it's supposed to do is check if it's my steamid and if it is then block the command.
I even replaced Plugin_Handled with
PrintToChat(client, "I see your steamid! It's %s", steamId);
And sure enough it knew my Steamid, so the if statement isn't wrong, if I'm correct, this SHOULD block the command, but it doesn't and sm_rtv functions as normal.

[ambn]

Use AddCommandListener

[Ethorbit]

Quote:

Originally Posted by ambn Use AddCommandListener

PHP Code:

#include <sourcemod>

public OnPluginStart()
{
AddCommandListener(Command_Block, "sm_rtv");
AddCommandListener(Command_Block, "sm_nominate");
AddCommandListener(Command_Block, "sm_nextmap");
}

public OnClientPostAdminCheck(client) {
decl String:steamId[64];
decl String:nick[64];
GetClientAuthString(client, steamId, sizeof(steamId));
if (StrEqual(steamId, "STEAM_0:0:77919865")) {
    GetClientName(client, nick, sizeof(nick));
    ServerCommand("sm_mute %s", nick);
    ServerCommand("sm_silence %s", nick);
    ServerCommand("sm_gag %s", nick);
    }
}

public Action:Command_Block(client, const String:command[], argc)
{
decl String:steamId[64];
GetClientAuthString(client, steamId, sizeof(steamId));
if (StrEqual(steamId, "STEAM_0:0:77919865")) {
    return Plugin_Handled;
    }
    return Plugin_Continue;
    } 


Same deal..

[ddhoward]

Quote:

Originally Posted by Ethorbit PHP Code: decl String:nick[64]; GetClientAuthString(client, steamId, sizeof(steamId)); if (StrEqual(steamId, "STEAM_0:0:77919865")) {     GetClientName(client, nick, sizeof(nick));     ServerCommand("sm_mute %s", nick);     ServerCommand("sm_silence %s", nick);     ServerCommand("sm_gag %s", nick);     }  Same deal..

Cool, all the person with that Steam ID has to do is change his name on Steam to lololol; quit and run sm_rtv, and your server crashes. Or he could change his name to lololol; sm_noclip lololol to give himself noclip.

NEVER RUN A CLIENT'S NAME THROUGH ServerCommand()!

Also, I don't think you can block +voicerecord in that manner. It's not a command that's sent to the server, IIRC.

[Ethorbit]

Quote:

Originally Posted by ddhoward Cool, all the person with that Steam ID has to do is change his name on Steam to lololol; quit and run sm_rtv, and your server crashes. Or he could change his name to lololol; sm_noclip lololol to give himself noclip. NEVER RUN A CLIENT'S NAME THROUGH ServerCommand()! Also, I don't think you can block +voicerecord in that manner. It's not a command that's sent to the server, IIRC.

You can't change your SteamID though, and how exactly is this player going to run any command through the console? If I'm correct, if your steamid is that, then it gets your name; all it does is run specific commands on you, not the other way around. Inside hl2dm if you name yourself to someone else it just puts a number after your name, so it'd still only target you.

Also, I just blocked having ; in your name.
Not only this, but you're not contributing ANYTHING, you just came here to tell me what I'm doing is wrong.

Still need help, would like if you gave some support.

[Ethorbit]

Still need some support.

[ddhoward]

I came to tell you that what you did is a major security vulnerability if you decide to pass untrusted players' names through ServerCommand, and I would have expected you to take it seriously rather than replying with snark and disrespect to a person who is trying to help you. By passing a player's name through ServerCommand, you effectively give that player the ability to send whatever command they want through ServerCommand, as they usually have control over what they are named.

So, let's say I'm on your server. I run sm_rtv. My name is ddhoward. These are the commands that get run by the console:

sm_mute ddhoward
sm_silence ddhoward
sm_gag ddhoward

Let's say that I know about the vulnerability that your plugin has, due to reading about it on this very thread. I then go onto Steam, and rename myself to:

Quote:

ddhoward; sm_kick @all

Then I run sm_rtv. These commands are then run by the server:

sm_gag ddhoward; sm_kick @all
sm_mute ddhoward; sm_kick @all
sm_silence ddhoward; sm_kick @all

The server kicks everyone, as the Source engine uses semicolons to separate commands given at once.

Or maybe I change my name on Steam to:

Quote:

ddhoward; sm_noclip ddhoward;

The server would run the following commands:

sm_gag ddhoward; sm_noclip ddhoward
sm_mute ddhoward; sm_noclip ddhoward
sm_silence ddhoward; sm_noclip ddhoward

Boom, I have noclip.



Ideally, ServerCommand should be avoided wherever possible. In the case of sm_gag and sm_mute, you can just use the BaseComm_SetClientGag() and BaseComm_SetClientMute() natives.

Where ServerCommand is unavoidable (because the plugin accepting the command doesn't provide natives like basecomm does) then you should be using the UserID instead of the client name. Note that any command that parses targeting strings via FindTarget() or ProcessTargetString() can use the UserID instead of the name, preceded by the # symbol.

So, let's say that I was the 371st player to join the server since the last reboot. The following would work to silence me:

sm_gag #371

So, your code can be improved in this way:

PHP Code:

if (StrEqual(steamId, "STEAM_0:0:77919865")) {
    ServerCommand("sm_mute #%i", GetClientUserID(client));
    ServerCommand("sm_silence #%i", GetClientUserID(client));
    ServerCommand("sm_gag #%i", GetClientUserID(client));
} 


But this way is even better:

PHP Code:

if (StrEqual(steamId, "STEAM_0:0:77919865")) {
    BaseComm_SetClientGag(client, true);
    BaseComm_SetClientMute(client, true);
} 


Also, "silence" is just gag and mute rolled into one. You don't need to do all three.

Also, try returning Plugin_Stop instead of Plugin_Handled when you want to block the command? lol idk