Review - Trusting the client?
Bug #685940 reported by
XavierAntoviaque
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Humanity Project |
Won't Fix
|
High
|
Vlad Dragu |
Bug Description
Why do you access a GET variable to get the hack results in
FirstMission, instead of using an object property? This relates to a
part of the codebase that I don't know very well, so I'm unsure. You
never trust anything that directly comes from the client, right?
Changed in hackit: | |
status: | Incomplete → Won't Fix |
To post a comment you must log in.
From the discussion:
> [vlad] that GET var is not coming from client input. When the player
> does an action in the game, i use an ajax call to alert the mission
> engine that an action has been taken. The ajax call is a post call
> actually and that's where the var comes from. I get the hack results
> from the game session
Could you show me where this is handled in the code? Do you check what
you get from the client ajax call? Even if it is not coming from player
input in the browser, would a player be able to craft an HTTP request
that would make the mission engine believe the hack was a success when
it was actually a failure?