Welcome to AC Web.
Results 1 to 9 of 9
  1. #1


    Join Date
    Dec 2015
    Location
    Developing the world
    Posts
    1,224

    Rochet2's AIO question


    REGISTER! (FREE)
    Registered members see less ads
    and also gain access to other great features.
    Greetings,

    I recently found out that you can basically "exploit" AIO functions and this is a demonstration:


    if I have a variable X in the clientside and I want to pass it to the serverside I would do:

    Code:
    AIO.Handle("Test", "TestFunc", X)
    and in the serverside I would have
    Code:
    function MyHandlers.TestFunc(player, X)
    (if T is a global value) T = X
    end
    But what happens if I run
    Code:
    /run AIO.Handle("Test", "TestFunc", "1234")
    from the client (in the chat).

    So my question is, is there a method (I don't see one) to 'return' a value?

    For example in my serverside I would have:
    Code:
    T = AIO.Handle(player, "Test", "GetX")
    and in my clientside I would have:
    Code:
    function MyHandlers.GetX()
    return X
    end
    Thanks for reading and thanks in advance for your answers

  2. #2
    weird like that

    Join Date
    Feb 2010
    Location
    http://rochet2.github.io/
    Posts
    5,289
    The friendly neighborhood Jamey notified me of your post.

    Labeling sending packets to server as an exploit is .. ehh .. somewhat far fetched.
    But indeed players can - like with anything - send anything to the server. Be sure to check that any values you get from client are what you expect. For example is X a number, string or a table? Could be anything the client sends and if you dont check things there can be exploits.

    Currently you are going to need to do AIO.Handle call from client to send a request for data and then AIO.Handle on server to send the requested data.

    You cannot directly send a message and wait for a reply in a blocking way as that would halt the whole client for possibly seconds.
    Instead the process needs to be done in asynchronous/non-blocking way.
    Even if the call would not freeze the client, you would need to call your functions outside of any rendering to avoid partially rendering a frame.
    Seems that the client supports coroutines which could be used to handle the calls in a nonintrusive way.
    Another way is to make it work through some kind of callbacks, maybe similar to promises in other languages. That way you could maybe first make a Get call and then in callback render something.
    In any case the system can be built on top of the existing system. It would change how the data gets back to the caller though.
    Last edited by Rochet2; 02-19-2020 at 01:51 AM.

  3. #3


    Join Date
    Dec 2015
    Location
    Developing the world
    Posts
    1,224
    Quote Originally Posted by Rochet2 View Post
    The friendly neighborhood Jamey notified me of your post.

    Labeling sending packets to server as an exploit is .. ehh .. somewhat far fetched.
    But indeed players can - like with anything - send anything to the server. Be sure to check that any values you get from client are what you expect. For example is X a number, string or a table? Could be anything the client sends and if you dont check things there can be exploits.

    Currently you are going to need to do AIO.Handle call from client to send a request for data and then AIO.Handle on server to send the requested data.

    You cannot directly send a message and wait for a reply in a blocking way as that would halt the whole client for possibly seconds.
    Instead the process needs to be done in asynchronous/non-blocking way.
    Even if the call would not freeze the client, you would need to call your functions outside of any rendering to avoid partially rendering a frame.
    Seems that the client supports coroutines which could be used to handle the calls in a nonintrusive way.
    Another way is to make it work through some kind of callbacks, maybe similar to promises in other languages. That way you could maybe first make a Get call and then in callback render something.
    In any case the system can be built on top of the existing system. It would change how the data gets back to the caller though.
    So, with the current AIO system, is it actually possible to send values to the server WITHOUT them being able to be manipulated?

  4. #4
    Quote Originally Posted by titkata_bg View Post
    So, with the current AIO system, is it actually possible to send values to the server WITHOUT them being able to be manipulated?
    No. Everything that happens on the client, which includes sending values to the server in this case, is able to be manipulated.

  5. #5
    You should always validate the data server-side as you have no control over the data that the client sends. Sometimes you might not even know if the data is sent from a game-client or some other communication construct. Though, validating the client's request client-side before the request is sent to the server is great if you want to save server-side performance or want to give immediate feedback to the user- but it should never replace server-side validation.
    Last edited by Fractional; 02-19-2020 at 03:06 PM.

  6. #6


    Join Date
    Dec 2015
    Location
    Developing the world
    Posts
    1,224
    Quote Originally Posted by Fractional View Post
    You should always validate the data server-side as you have no control over the data that the client sends. Sometimes you might not even know if the data is sent from a game-client or some other communication construct. Though, validating the client's request client-side before the request is sent to the server is great if you want to save server-side performance or want to give immediate feedback to the user- but it should never replace server-side validation.

    Well I cannot see any of that being done without a way to manipulate it, honestly :/

  7. #7
    Quote Originally Posted by titkata_bg View Post
    Well I cannot see any of that being done without a way to manipulate it, honestly :/
    Keep the player's state server-side and let the client request an action, which the server then validates before it processes the request. Let's say you have a system where a player has to spend 10 points, then you can store the number of points available for the player server-side but also let the client know how many points that can be spent. Then when the client sends a request you can validate, update the state and perform logic server-side. If the player has spent all points, and still sends the request from the client to the server, you can ensure that the request is not properly handled. That's why Rochet2 told you to check sent values as well as other things to avoid exploits in the systems you have created.

  8. #8
    weird like that

    Join Date
    Feb 2010
    Location
    http://rochet2.github.io/
    Posts
    5,289
    What is it that you try to do exactly that you have an issue with?
    I dont think anyone can help you much further without a more specific example of why you cant validate the user's message.

  9. #9


    Join Date
    Dec 2015
    Location
    Developing the world
    Posts
    1,224

    REGISTER! (FREE)
    Registered members see less ads
    and also gain access to other great features.
    The problem is that the system is way too big for me to recode (the ClassLess AIO if you know it), though I think I found a way to 'validate' requests.

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •