[quake3] [PATCH] cl_guid
Tony J. White
tjw at webteam.net
Mon Apr 10 20:47:16 EDT 2006
On Tue, Apr 11, 2006 at 01:14:45AM +0200, Ludwig Nussel wrote:
> Tony J. White wrote:
> > [...]
> > On startup, the client engine looks for a file called qkey. If it does
> > not exist, 2KiB worth of random binary data is inserted into the qkey file.
> > A MD5 digest is then made of the qkey file and it is inserted into the
> > cl_guid cvar. This is essentially the same way it works on ET except that
> > pb uses some other secret voodoo to hide how it comes up with the MD5 digest.
>
> What about directly storing the hex representation of 16 random
> bytes in the cvar instead of hashing 2k using MD5?
There needs to be a way of preventing the user from setting their own MD5 to
whatever they want or there will be a bunch of players with the cl_guid of
0000000000000000000000000B00B135. Or a malicious server admin could collect
the guids of his players who may have admin rights on other servers to
impersonate them.
Of course it would be possible to build your own ioq3 client with that
cl_guid hardcoded, but this at least prevents casual abuse.
To counter this, it would be possible for the client to send the contents of
the qkey to the server on request so the hash can be validated (which I
believe pb also does). I have not looked into the specifics of this though
and such a think could always be added later as an enhancement.
-Tony
More information about the quake3
mailing list