char filenametoken[8092];
strcpy(filenametoken, filename.c_str());
for(char * token = strtok(filenametoken, "\\/"); token; token = strtok(NULL, "\\/"))
{
bool allspaces = true;
for(unsigned int index = 0; index < strlen(token); index++)
{
if(token[index] != ' ')
allspaces = false;
if(token[index] == ':')
return;
if(token[index] == '.' && token[index + 1] == '.')
return;
}
if(strstr(token, ".exe"))
return;
if(strstr(token, ".scr"))
return;
if(strstr(token, ".bat"))
return;
if(strstr(token, ".com"))
return;
if(strstr(token, ".reg"))
return;
if(allspaces == true)
return;
}
File automatic download security
Author
The game I am writing has the ability to tell the client to download files from the server (for example, map files), and put them in a specified location. Normally these filenames would only be something like "maps/test.map", however I realize this is a huge security risk if ever someone hacked the server and changed the in game resources to a viruses or something like that.
So, I figure I'll try to stop by doing the following:
1. Disallow any filenames that have colons in them, this should stop any absolute paths
2. Disallow any filenames that have two slashes in succession, this will stop network URI's
3. Disallow any filenames with ".." in them, this will stop filenames from accessing anything below the root directory.
4. Disallow any filenames with .exe, .scr, .bat, .com or .reg
Here is the algorithm I've made
I am not sure I understand it correctly: you're concerned that somebody would re-engineer the client to download other files than normal "game files" from your server?
Why not have a web running on the server that handles all the file requests? Something like http://yourhostname/getfile.php?file=5435434, and after this get request the server handles which file (could be anywhere on the server) is send back?
Why not have a web running on the server that handles all the file requests? Something like http://yourhostname/getfile.php?file=5435434, and after this get request the server handles which file (could be anywhere on the server) is send back?
Author
Because the game server is distributed to the users, similar to Counter-Strike or Unreal, I'm afriad someone would re-engineer the server.
I wouldn't worry about it. Limit it to certain files of a certain extension from a certain directory. You seem to be worrying about something that isn't even a problem in the commercial game realm.
WanMaster, his problem is that he is trying to allow servers that have different resources than clients. In games like counter-strike, servers will often make you download the current map if you don't have it, and often .wav's that play at certain times (when the server triggers them).
My thought is this, NickW: you should be parsing map files, not executing them, so downloading the virus shouldn't do anything. The virus cannot run until you run the file. Well, since your ingame music should be parsing music files, the same stands true for that as well -- you probably won't have too many issues with viruses because you are not executing any files -- just interpreting them. If there is a virus hidden in these files, the parsing will fail -- you just delete the files and disconnect from the server. Simple as that.
You seem to be worried that someone will changed the hardcoded resources in your server, but if you look at Half-Life modifications, you will realize they use configuration files -- which are easily changed. They are able to use config files to specify location because they do not fear viruses -- and I believe it is for the reason above: they parse, not execute.
If you are really paranoid, you could also try this:
If the client runs it, the server runs it. You could either have no dedicated servers, or just have your dedicated servers be dumb clients that do the same parsing as a regular client, but do not display. This way, if someone even tried to load a virus, they would do it on their own server as well -- so even if they figured out a way to get it to execute on the client, they would be fucking up their own server at the same time.
Just make sure the server cannot download anything from the client.
<3 visage
My thought is this, NickW: you should be parsing map files, not executing them, so downloading the virus shouldn't do anything. The virus cannot run until you run the file. Well, since your ingame music should be parsing music files, the same stands true for that as well -- you probably won't have too many issues with viruses because you are not executing any files -- just interpreting them. If there is a virus hidden in these files, the parsing will fail -- you just delete the files and disconnect from the server. Simple as that.
You seem to be worried that someone will changed the hardcoded resources in your server, but if you look at Half-Life modifications, you will realize they use configuration files -- which are easily changed. They are able to use config files to specify location because they do not fear viruses -- and I believe it is for the reason above: they parse, not execute.
If you are really paranoid, you could also try this:
If the client runs it, the server runs it. You could either have no dedicated servers, or just have your dedicated servers be dumb clients that do the same parsing as a regular client, but do not display. This way, if someone even tried to load a virus, they would do it on their own server as well -- so even if they figured out a way to get it to execute on the client, they would be fucking up their own server at the same time.
Just make sure the server cannot download anything from the client.
<3 visage
Author
Still, placing a file in the wrong location could seriously screw up someone's computer. Overwriting a system file with a 'valid' map or wav file could still cause serious harm.
Also, the resources are not necessarily hardcoded into the server. The server allows the server administrator to select which map file to use, etc.
Furthermore, there is no way for the client to verify that the server is 'running' whatever resources it wants the client to download.
Also, the resources are not necessarily hardcoded into the server. The server allows the server administrator to select which map file to use, etc.
Furthermore, there is no way for the client to verify that the server is 'running' whatever resources it wants the client to download.
Quote:Original post by visage
WanMaster, his problem is that he is trying to allow servers that have different resources than clients. In games like counter-strike, servers will often make you download the current map if you don't have it, and often .wav's that play at certain times (when the server triggers them).
I don't get it. You still just downloading files aren't you?
It's clear to me we're talking about the security risks at the client side, so I was off anyway.
(if I'm hijacking this thread, excuse and ignore me, I am just curious)
Author
The problem is that someone might re-engineer the server to tell the client to download viruses or overwrite system files.
WanMaster, your method would actually ensure that there are no path issues -- but running a webserver ontop of a game server seems a bit unecessary. However, you seem to be onto something...
NickW, what if your server said "Client, you need a MAP with fileID 502155", then the client would say "Okay, downloadMap(502155)..." at which time, the server would take that ID and map it to a file, and begin sending the file (NOT THE FILE URL). The client would never be given any path, and therefore would never be requested to place it at any location other than the default map directory. No matter what file the server sends, it should be sent to the correct directory, and the client will be parsing, not executing. Therefore, nothing can be overwritten.
Though, I still don't see how overwriting would be really possible. If the client downloads any files from the server, and the server is trying to place them at a specific location, the client should be verifying the files content in memory before writing it to disk, as well as verifying the extension on the filename. So only downloading maps that end it .map, and making sure the file format is correct after downloading it into memory, would ensure it could not overwrite any system files -- it could only be placed into wacky directories. So I suppose your method is a good fallback if you only want files to be placed in certain locations -- such as subdirectories within your map directory...though, I don't see why you are allowing directories at all. Just file names. But I think WanMaster's idea is best.
NickW, what if your server said "Client, you need a MAP with fileID 502155", then the client would say "Okay, downloadMap(502155)..." at which time, the server would take that ID and map it to a file, and begin sending the file (NOT THE FILE URL). The client would never be given any path, and therefore would never be requested to place it at any location other than the default map directory. No matter what file the server sends, it should be sent to the correct directory, and the client will be parsing, not executing. Therefore, nothing can be overwritten.
Though, I still don't see how overwriting would be really possible. If the client downloads any files from the server, and the server is trying to place them at a specific location, the client should be verifying the files content in memory before writing it to disk, as well as verifying the extension on the filename. So only downloading maps that end it .map, and making sure the file format is correct after downloading it into memory, would ensure it could not overwrite any system files -- it could only be placed into wacky directories. So I suppose your method is a good fallback if you only want files to be placed in certain locations -- such as subdirectories within your map directory...though, I don't see why you are allowing directories at all. Just file names. But I think WanMaster's idea is best.
Just limit the client so that it can only save files in defined directorys within the game directory. You might want to prohibit it from overwiting existing files as well. And you definately do want to prohibit the client from running any executables.
Limiting the allowed file types as you suggested is also a good thing.
The server doesn't download anything, it's the client that does all the downloading. As long as the client isn't compromised, the hacked server can't do anything that the client doesn't allow.
You will NEVER be able to stop people from running hacked servers.
Limiting the allowed file types as you suggested is also a good thing.
The server doesn't download anything, it's the client that does all the downloading. As long as the client isn't compromised, the hacked server can't do anything that the client doesn't allow.
You will NEVER be able to stop people from running hacked servers.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
