Jump to content

bknht

Member
  • Posts

    5
  • Joined

  • Last visited

Everything posted by bknht

  1. "Any client had a full list of online players. A compromised client could teleport to each one and kill then rapidly." I read this as "could teleport each one and kill them rapidly", so my bad. I did not go back and verify the exact phrasing again as you were already dismissive of any and all input, criticism and pleas with a "what we say goes" attitude in regards to mods. Yes, what you say goes, but at least take into consideration the people who supported your game during 10 years and kept it fresh with new things for the playerbase to enjoy while the core game matured. Oh, the question above: it broke every single mod out there needing a fully qualified list of people. Examples are everywhere around the mod scene, smaller and large. I have a mod that allows vehicle claiming with permissions management. When somebody wants another to be able to enter they get a context menu to add them. Another mod is an economy mod allowing people to wire each other money via ATM and here i need an instance because i need to get first and last name instead of usernames, as it is in an RP environment. Also wiring money to somebod 10 tiles away is not really sensible. It is an "across the map" feature.
  2. Then why are player coordinates of the others even relevant if they are teleported to the attacker regardless? The premise to break this core function was "use a list of usernames to teleport players to attacker and kill them" which can still be done with or without this function being useless now. If this is such a huge risk maybe putting it behind some anti cheat setting is a good idea then, so server owners can decide on their own, like with the other twenty something codes where nobody really knows what they do. Want a player list to be available? Enable anti cheat xyz, done.
  3. Can you please confirm what you will be looking into so modders can prepare for this? If you're leaving the getOnlinePlayers useless then I'll prepare getting the username list from the ISScoreboard instance instead, like a hypothetical hacker would. I am still very curious of the motivation why this change serves to prevent hacking. To be able to teleport a player across the map or to the attacker that means that the server has to greenlight the teleport. To greenlight it, the user has to have an access level allowing that. When you have an access level you also get the full getOnlinePlayers return, so I really see no logic in this decision. Think of it this way: If i want to prevent a hacker deleting subpages on my website I would not delete the sitemap showing him which ones exist, as 1) he would still need privileges / backend access to do that 2) he would still be able to access the pages via the normal website navigation (like the scoreboard on escape) The only consequence of this is to make it worse for everybody depending on an agreed upon part of the website to exist and function, same as mods who need a way of getting a full list of users.
  4. Any client can listen to the scoreboard update events too and get the list from there. Policing teleports and ranks associated with commands should not be a client issue as the server is supposed to validate teleportto commands, nor should this undocumented change cripple every mod out there relying on this function without warning, documentation, or changelog entry. If this is about "being done" with B41, I could understand the "we do not want to fix it" approach but selling this as security feature is iffy at best.
  5. From discord: https://discordapp.com/channels/136501320340209664/1037775705871753266
×
×
  • Create New...