Skip to content

Commit 8f9b2df

Browse files
Dutchman101Dutchman101
committed
admin2: security fixes
1 parent 0dbb83d commit 8f9b2df

File tree

4 files changed

+79
-12
lines changed

4 files changed

+79
-12
lines changed

[admin]/admin2/conf/ACL.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@
7777
<right name="command.setfpskicker" access="true" />
7878
<right name="command.setidlekicker" access="true" />
7979
<right name="command.clearchat" access="true" />
80-
<right name="command.setserverconf" access="true" />
80+
<right name="command.setconfig" access="true" />
8181
<!--Bans related-->
8282
<right name="command.ban" access="true" />
8383
<right name="command.unban" access="true" />
@@ -160,7 +160,7 @@
160160
<right name="command.setfpskicker" access="false" />
161161
<right name="command.setidlekicker" access="false" />
162162
<right name="command.clearchat" access="true" />
163-
<right name="command.setserverconf" access="false" />
163+
<right name="command.setconfig" access="false" />
164164
<!--Bans related-->
165165
<right name="command.ban" access="true" />
166166
<right name="command.unban" access="true" />
@@ -243,7 +243,7 @@
243243
<right name="command.setfpskicker" access="false" />
244244
<right name="command.setidlekicker" access="false" />
245245
<right name="command.clearchat" access="true" />
246-
<right name="command.setserverconf" access="false" />
246+
<right name="command.setconfig" access="false" />
247247
<!--Bans related-->
248248
<right name="command.ban" access="false" />
249249
<right name="command.unban" access="false" />
@@ -323,7 +323,7 @@
323323
<right name="command.setfpskicker" access="false" />
324324
<right name="command.setidlekicker" access="false" />
325325
<right name="command.clearchat" access="false" />
326-
<right name="command.setserverconf" access="false" />
326+
<right name="command.setconfig" access="false" />
327327
<!--Bans related-->
328328
<right name="command.ban" access="false" />
329329
<right name="command.unban" access="false" />

[admin]/admin2/server/admin_ACL.lua

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -252,12 +252,17 @@ local aACLFunctions = {
252252
triggerClientEvent(client, EVENT_ACL, client, ACL_ACL, group, data)
253253
end
254254
}
255+
255256
addEvent(EVENT_ACL, true)
256-
addEventHandler(
257-
EVENT_ACL,
258-
root,
257+
addEventHandler(EVENT_ACL, root,
259258
function(action, ...)
260-
aACLFunctions[action](...)
259+
if not hasObjectPermissionTo( client, "general.tab_acl" ) then
260+
outputServerLog( ( "[ADMIN SECURITY]: Player %s [%s %s] attempted to tamper with server ACL without proper rights" ):format( client.name, client.ip, client.serial ) )
261+
return
262+
end
263+
if action then
264+
aACLFunctions[action](...)
265+
end
261266
end
262267
)
263268

[admin]/admin2/server/admin_session.lua

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,9 @@ addEventHandler(
4242
end
4343
end
4444
if (type == SESSION_UPDATE or type == SESSION_START) then
45-
if (hasObjectPermissionTo(client, "general.adminpanel")) then
45+
if (hasObjectPermissionTo(client or source, "general.adminpanel")) then
4646
local tableOut = {}
47-
local account = "user." .. getAccountName(getPlayerAccount(client))
47+
local account = "user." .. getAccountName(getPlayerAccount(client or source))
4848
for gi, group in ipairs(aclGroupList()) do
4949
for oi, object in ipairs(aclGroupListObjects(group)) do
5050
if ((object == account) or (object == "user.*")) then
@@ -61,7 +61,7 @@ addEventHandler(
6161
end
6262
end
6363
end
64-
triggerClientEvent(client, EVENT_SESSION, client, tableOut)
64+
triggerClientEvent(client or source, EVENT_SESSION, client, tableOut)
6565
end
6666
end
6767
end

[admin]/admin2/server/admin_sync.lua

Lines changed: 63 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,38 @@
77
* Original File by lil_Toady
88
*
99
**************************************]]
10+
11+
local function hasClientPermissionTo(strRight)
12+
if client and not hasObjectPermissionTo(client, strRight) then
13+
outputServerLog( ( "[ADMIN SECURITY]: Player %s [%s %s] attempted to perform admin data sync without proper rights (%s)" ):format( client.name, client.ip, client.serial, strRight ) )
14+
return false
15+
end
16+
return true
17+
end
18+
1019
addEvent(EVENT_SYNC, true)
1120
addEventHandler(
1221
EVENT_SYNC,
1322
root,
1423
function(type, data)
24+
25+
if not hasClientPermissionTo("general.adminpanel") then
26+
return
27+
end
28+
1529
local tableOut = {}
1630
local theSource = root
31+
1732
if (type == SYNC_PLAYER) then
33+
1834
if (not isElement(data)) then
1935
return
2036
end
37+
38+
if not hasClientPermissionTo( "general.tab_players" ) then
39+
return
40+
end
41+
2142
aPlayers[client]["sync"] = data
2243
tableOut["mute"] = isPlayerMuted(data)
2344
tableOut["freeze"] = isElementFrozen(data)
@@ -33,6 +54,7 @@ addEventHandler(
3354
end
3455
tableOut["account"] = getAccountName(account)
3556
theSource = data
57+
3658
elseif (type == SYNC_PLAYERS) then
3759
for id, player in ipairs(getElementsByType("player")) do
3860
tableOut[player] = {}
@@ -42,7 +64,13 @@ addEventHandler(
4264
tableOut[player].country = aPlayers[player]["country"]
4365
tableOut[player].countryname = aPlayers[player]["countryname"]
4466
end
67+
4568
elseif (type == SYNC_PLAYERACL) then
69+
-- Not called by client-side
70+
if client then
71+
return
72+
end
73+
4674
local player = data
4775
if isElement(player) then
4876
theSource = player
@@ -57,7 +85,12 @@ addEventHandler(
5785
end
5886
end
5987
end
88+
6089
elseif (type == SYNC_RESOURCES) then
90+
if not hasClientPermissionTo("command.listresources") then
91+
return
92+
end
93+
6194
tableOut = {}
6295
local resourceTable = getResources()
6396
for id, resource in ipairs(resourceTable) do
@@ -69,7 +102,12 @@ addEventHandler(
69102
end
70103
table.insert(tableOut[group], {name = name, state = state})
71104
end
105+
72106
elseif (type == SYNC_RESOURCE) then
107+
if not hasClientPermissionTo("command.listresources") then
108+
return
109+
end
110+
73111
local resource = getResourceFromName(data)
74112
tableOut.name = data
75113
tableOut.info = {}
@@ -81,7 +119,12 @@ addEventHandler(
81119
tableOut.info.description = getResourceInfo(resource, "description") or nil
82120
tableOut.info.settings = getResourceSettings(data, false)
83121
end
122+
84123
elseif (type == SYNC_ADMINS) then
124+
if not hasClientPermissionTo("general.tab_adminchat") then
125+
return
126+
end
127+
85128
for id, player in ipairs(aPlayers) do
86129
tableOut[player] = {}
87130
tableOut[player]["admin"] = hasObjectPermissionTo(player, "general.adminpanel")
@@ -101,19 +144,38 @@ addEventHandler(
101144
end
102145
end
103146
end
147+
104148
elseif (type == SYNC_SERVER) then
149+
if not hasClientPermissionTo("general.tab_server") then
150+
return
151+
end
152+
105153
tableOut["name"] = getServerName()
106154
tableOut["players"] = getMaxPlayers()
107155
tableOut["game"] = getGameType()
108156
tableOut["map"] = getMapName()
109157
tableOut["password"] = getServerPassword()
158+
110159
elseif (type == SYNC_BAN) then
160+
if client then
161+
return
162+
end
111163
tableOut = data
164+
112165
elseif (type == SYNC_BANS) then
166+
if not hasClientPermissionTo("general.tab_bans") then
167+
return
168+
end
169+
113170
for id, ban in pairs(getBansList()) do
114171
tableOut[id] = getBanData(ban)
115172
end
173+
116174
elseif (type == SYNC_MESSAGES) then
175+
if not hasClientPermissionTo( "command.listmessages" ) then
176+
return
177+
end
178+
117179
local unread, total = 0, 0
118180
for id, msg in ipairs(aReports) do
119181
if (not msg.read) then
@@ -124,7 +186,7 @@ addEventHandler(
124186
tableOut["unread"] = unread
125187
tableOut["total"] = total
126188
end
127-
triggerClientEvent(client, EVENT_SYNC, theSource, type, tableOut)
189+
triggerClientEvent(client or source, EVENT_SYNC, theSource, type, tableOut)
128190
end
129191
)
130192

0 commit comments

Comments
 (0)