Chat Print/Formatting Bugs

Discussion in 'Support' started by Rothgar, Jan 13, 2009.

  1. Rothgar

    Rothgar Member

    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    0
    Logged a SourceMod bug originally thinking it was a bug with them.

    https://bugs.alliedmods.net/show_bug.cgi?id=3557

    After doing some testing it might be an Empires specific bug.

    Ran a few test scripts from Fyren:

    Code:
    public Action:what(client, args)
{
	LoadTranslations("mapchooser.phrases");
	PrintToChatAll("Plain PTCA: %d%% of", 1);
	PrintToChatAll("[SM] %t", "Current Map Stays", 1, 2);
	new String:s[16];
	Format(s, sizeof(s), "%d%% of", 1);
	PrintToChatAll("Format: %s", s);
	vformattest(1);
	return Plugin_Handled;
}

vformattest(...)
{
	new String:s[16];
	VFormat(s, sizeof(s), "VFormat: %d%% of", 1);
	PrintToChatAll("%s", s);
}

    These ended up printing:

    Code:
    Plain PTCA: 12106472420f
[SM] Current map continues! The Vote has spoken! (Received 12106472420f 2 votes)
Format: 12106472420f
VFormat: 12106472420f
    From speaking to Kylegar and BAILOPAN we believe it might be an issue with lack of sanitizing the chat messages.

    BAILOPAN mentioned the chat messages use:

    Example message:

    Code:
    "Current map continues! The Vote has spoken! (Received {1}%% of {2} votes)"
    This would become for example (normally):

    Code:
    "Current map continues! The Vote has spoken! (Received 50% of 2 votes)"
    Fyren said the "o" is getting eaten and %o is an unsigned octal or something because the output is:

    Code:
    "(Received 12106472420f 2 votes)"

    Code:
    (13:34:15) <dvander> Kylegar: one reason would be not sanitizing input.  for example, having user string S
(13:34:25) <dvander> and doing print(S) instead of print("%s", S)
(13:35:03) <dvander> what is most likely happening is
(13:35:13) <dvander> sourcemod is giving the game a string like "50% blah"
(13:35:26) <dvander> then the game is not handling the string correctly, passes it to a formatter directly
(13:35:30) <dvander> and the "% b" is picked up as a format code
(13:35:45) <dvander> these things are important to fix, they're security sensitive (exploitable)
     
    Rothgar, Jan 13, 2009
    #1
  2. Theowningone

    Theowningone Noone likes me :'(

    Messages:
    704
    Likes Received:
    0
    Trophy Points:
    0
    Theres alot of formating issue is saw. one of which being the votes, another was that console chat constantly has quote around it.
     
    Theowningone, Jan 14, 2009
    #2
  3. Kylegar

    Kylegar Specstax Rule

    Messages:
    2,170
    Likes Received:
    0
    Trophy Points:
    0
    Pretty sure it's parsing the string twice, as dvander said.

    in SM: printf("blah blah %i%%", iWhatever) outputs "blah blah 10%", then when passed to Empires, reads the % as a control character.


    Either me or MOOtant will look into it
     
    Kylegar, Jan 14, 2009
    #3

Share This Page