1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help
  4. Tutorials

Threaded Mode
[Tutorial] Protection against '%' dialog vulnerability!
Metharon
Huge Clucker
****
Posts: 340
Threads: 189
Joined: Apr 2014
Reputation: 0
#1

05.06.2016, 23:53
Example:

https://www.youtube.com/watch?v=RJ6F17EFqYc

You can fix it simple by checking the inputtext before using it with this stock :

pawn Code:
stock CheckDialogBug(message[])
{
    new message_length = strlen(message);
    for(new i; i < message_length; i++)
    {
        if(message[i] == '%')
        {
            return 1;
        }
    }
    return 0;
}
Now you're gonna use this checking in all DIALOG_STYLE_INPUT dialogs.

Example of usage:

Code:
if(CheckDialogBug(inputtext)) return SendClientMessage(playerid, 0, "{FFFFFF}You can't use '%' in strings.");
Find
Reply
BlackBank
Gangsta
****
Posts: 508
Threads: 9
Joined: Dec 2010
Reputation: 0
#2

06.06.2016, 00:07
I doubt if this is a bug... How do you use the inputtext in your format's and printfs?

Because if i use a %s in any format/printf, then it just works.
My test code:
PHP Code:
public OnGameModeInit() {
    new
        message[] = "%s",
        string[128]
    ;
    format(stringsizeof(string), "%s"message);
    
    printf("%s"message);
    return 1;

UPDATE: nvm, i see now that SendClientMessageToAll doesn't like %s and any other format.
Find
Reply
Aliassassin123456
Banned
Posts: 232
Threads: 4
Joined: Apr 2013
#3

06.06.2016, 00:17
( Last edited by Aliassassin123456; 06/06/2016 at 04:34 PM. )
Metharon is right, it's a bug. (with entering a %s and using it on format, it will fuck the server)
There's a filter on message with OnPlayerText and OnPlayerCommandText, it removes % on input and also colors on input too!
But you can use the filter which is using on OnPlayerText and OnPlayerCommandText:
Code:
for(new i = 0, j = strlen(input); i < j; i++)
{
	if(input[i] == '%') input[i] = '#';
}
Also you must write a code to filter color embedding like {FFFFFF} (isn't a vulnerability but player mustn't be able to use embedded colors IMO)
Easy to write, I'll post it here soon.
Find
Reply
Aliassassin123456
Banned
Posts: 232
Threads: 4
Joined: Apr 2013
#4

06.06.2016, 16:21
( Last edited by Aliassassin123456; 15/12/2017 at 09:46 PM. )
Ok, here is the code:

Code:
// By AliAssassiN
// Code removed- sorry
Example:
Code:
new test[90];
format(test, 90, "Gitchasbdhias {dsadaksm}{{FFFFFF}} {FF00AA0} {FF00AA} ASLdM {ASdSAMk2} {ZAFFAA}QDad");
printf("Before: %s\n", test);
removeEmbeddedColor(test);
printf("After: %s\n", test);
Output:
Code:
Before: Gitchasbdhias {dsadaksm}{{FFFFFF}} {FF00AA0} {FF00AA} ASLdM {ASdSAMk2} {ZAFFAA}QDad

After: Gitchasbdhias {dsadaksm}{ FFFFFF } {FF00AA0}  FF00AA  ASLdM {ASdSAMk2} {ZAFFAA}QDad
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help
  4. Tutorials