New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RCON cd allows full browsing #6193
Comments
The_Dude wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13664 |
Sp1k3 wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13665 |
Hazzard wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13666 |
peter1138 wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13687 |
Sp1k3 wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13691 |
krinn wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13694 |
adf88 wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13703 |
peter1138 wrote:
This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment14367 |
Fully agree that full filesystem listing is silly. It always stroked me as odd that we allow navigation like that. Of course the console was never meant to be used as an rcon, but is now anyway. Possibly it is better to allow settings folders where savegames can be in for servers, and disallow 'cd' and friends. |
Would it be possible to have a permissions config file where each console command and setting has a number going from -1 to 254, where -1 or 255 = infinity, as well as a way to set the permission level of clients (those commands always have infinite permission level)? This would mean that while servers can always execute any command or setting change that they can already do, clients can't execute any command or setting change with permission level higher than their own, with an error message saying that you don't have permission to use that command. The reasoning for this is that just the RCON password and the RCON cd folder blacklist may not be enough, as clients can still force a server to restart the game or change settings for the worse of others. Adding the permissions system will hopefully limit those malicious actions and make for a better multiplayer experience. |
Although it is absolutely not the best solution (that you can Further more, as mentioned earlier in this thread, In the way OpenTTD is designed, this is very hard to prevent. We look for files in 7+ folders, and any subfolders there of. We could add things like whitelisting, or even blacklisting. But in the end .. So after almost 10 years, I am going to close this ticket without actually resolving it. Some parts of me wish we could/would actually resolve it, but seeing a ticket of 10 years with barely any activity, is also an indication. As for the suggestions to make |
Sp1k3 opened the ticket and wrote:
Reported version: trunk
Operating system: All
This issue was imported from FlySpray: https://bugs.openttd.org/task/6193
The text was updated successfully, but these errors were encountered: