[Request] Creating a list of cvars that are prohibited from sending values to Query Client CVar

[Splatt581]

I propose to create a list of cvars that will not send values ​​to server requests svc_sendcvarvalue and svc_sendcvarvalue2 - in response, game client can send a Bad CVAR request string.

Such a list may include, for example, cvars rcon_address, rcon_port and rcon_password. They must be private, because the remote control mechanism of the game server by the game client implies that the player does not have to be on the controlled server - using the cvars rcon_address and rcon_port, player can specify the data where rcon commands will be sent. An attacker can take advantage of this and, having lured the victim-admin to his server, obtain the values ​​of the cvars rcon_address, rcon_port and rcon_password via svc_sendcvarvalue or svc_sendcvarvalue2.

[SamVanheer]

I've already reported this on HackerOne with those cvars listed.

@mikela-valve you should add this issue to the private one.

[afwn90cj93201nixr2e1re]

@mikela-valve can you also make setinfo buffer lil more than now? Or make some cmd for auto clearing?
For reset to default, coz some server's making some stupid records, then we get info buffer exceeded blah blah blah, then we must close hame, clear config and start game again.

[SamVanheer]

Changing the info buffer size will break this API:

halflife/common/com_model.h

Lines 315 to 349 in c7240b9

	#define MAX_INFO_STRING 256
	#define MAX_SCOREBOARDNAME 32
	typedef struct player_info_s
	{
	// User id on server
	int userid;
	// User info string
	char userinfo[ MAX_INFO_STRING ];
	// Name
	char name[ MAX_SCOREBOARDNAME ];
	// Spectator or not, unused
	int spectator;
	int ping;
	int packet_loss;
	// skin information
	char model[MAX_QPATH];
	int topcolor;
	int bottomcolor;
	// last frame rendered
	int renderframe;
	// Gait frame estimation
	int gaitsequence;
	float gaitframe;
	float gaityaw;
	vec3_t prevgaitorigin;
	customization_t customdata;
	} player_info_t;

Same for physics info buffers.

[GiovaniFerraroTrivelli]

@mikela-valve can you also make setinfo buffer lil more than now? Or make some cmd for auto clearing?
For reset to default, coz some server's making some stupid records, then we get info buffer exceeded blah blah blah, then we must close hame, clear config and start game again.

A command for reset to default userinfo values is a good idea 👍

[10th]

exec clear_si.cfg ;-)

[afwn90cj93201nixr2e1re]

and? This do nothing. Coz this doesn't rewrite any setinfo's. It's can just replace some of keys.

[2010kohtep]

Setinfo restorer from one of my project. It would be nice to have something like this officially, I think.

[mikela-valve]

@2010kohtep Could you post that as a separate issue for tracking? I'm going to implement something like that but it might take a bit more discussion to finish.

[2010kohtep]

@mikela-valve Sure thing: #2589

[mikela-valve]

This should be fixed now in the current beta.

[Splatt581]

Fixed, I confirm. Now, in response to requests for these cvars, game client sends string CVAR is privileged. Also, the server cannot change values of these cvars via svc_stufftext in order to send password to the changed address.

I think that client command rcon should also be added to the list of privileged ones, so that the attacker could not control the victim’s server through the victim’s client using svc_stufftext.

[mikela-valve]

I agree, I'll make rcon privileged as well.

[Splatt581]

Fixed.