Jump to content

[SOLVED] Security risks


xTimPugz

Recommended Posts

Hello

 

I seriously care about security for the mods I code so players do not get an unfair advantage.

Something keeps spooking my mind, how does networking actually work?

Can't someone just edit a mod and change the piece of code so the client can excecute server code and so manipulate for instance his/her location or where he / she is looking/shooting at?

 

EDIT: I will post my code on GitHub soon, open source is great!!

 

Thank you for the responses that I am sure will come! ( :D )

 

Link to comment
Share on other sites

Well the first rule of any network based application is to "never trust the data from the client side".

Minecraft handles everything important on the server side, sending packets to the clients with the changes so the client render and do client-sided stuff. If the client wanted something to happen it sends network packets of the specifics that the server should handle, those packets usually cannot contain harmful information because the server only accepts certain packets and handle them according to their type.

 

Let's say the player on the client clicked the keybind for jump, the client sends a packet to the server that the jump keybind has been pressed. The server will recognize the packet as a keybind packet and handle the code so that the player would jump on the server, then it sends back the new position to the client so it would render the player position

 

Client packets can be manipulated by external sources, resulting in things like fly hacks. However, the server still is in control of all what it does, and how information is handled is up to the implementation.

 

In the case of multiplayer, the client is on the player's PC but the server is somewhere else on the net, it is impossible to force the server to execute code. The only way to change anything is using the packet system, and like I said, the server only handles the packets it knows how to handle.

Link to comment
Share on other sites

Well not really, the thing is it's all about the implementation of the handling. If a mod decided to destroy the world when a client presses a button it will happen, but that's because it was hard-coded to do so. However, the way Minecraft works really gives the client little chance to do things. Almost everything that happens in the world where direct player interaction isn't needed (such as ticking tile entities) happens automatically on the server side.

As a modder, one must always consider the first rule when handling packets, don't let the client be in control of doing big things directly.

Link to comment
Share on other sites

Note: Get your terms correct here, Nothing in Forge/Minecraft allows remote code execution. As in, The client can't send any code to the server and have it run it.

HOWEVER, Minecraft is rather horrible in it's 'security' when validating who can do what and when. So there are a lot of 'hacks' out there that let you do things you shouldn't do.

This is simply Minecraft being poorly written from the get-go.

However, its nothing serious so we don't care. "Oh look you can fly around for a while, good for you!"

I do Forge for free, however the servers to run it arn't free, so anything is appreciated.
Consider supporting the team on Patreon

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.