From eb6279a5a4b7f00bae95e57360bbd6fd66cad09d Mon Sep 17 00:00:00 2001 From: MrStonedOne Date: Wed, 15 Apr 2015 10:11:37 -0700 Subject: [PATCH] Removes admin notices on failed logins in isbanned This could be used to spam admins, without them having any way to stop it, and as tobba has informed me, isbanned() is called before byond does much validation on the data (like checking that the claimed username exist or validating that they own it), leaving these notices vulnerable to html injection --- code/modules/admin/IsBanned.dm | 3 --- 1 file changed, 3 deletions(-) diff --git a/code/modules/admin/IsBanned.dm b/code/modules/admin/IsBanned.dm index a89aea9f725..b3aa7455c17 100644 --- a/code/modules/admin/IsBanned.dm +++ b/code/modules/admin/IsBanned.dm @@ -48,11 +48,9 @@ world/IsBanned(key,address,computer_id) if(IsGuestKey(key)) if (!guests_allowed) log_access("Failed Login: [key] - Guests not allowed") - message_admins("Failed Login: [key] - Guests not allowed") return list("reason"="guest", "desc"="\nReason: Guests not allowed. Please sign in with a byond account.") if (config.panic_bunker && dbcon && dbcon.IsConnected()) log_access("Failed Login: [key] - Guests not allowed during panic bunker") - message_admins("Failed Login: [key] - Guests not allowed during panic bunker") return list("reason"="guest", "desc"="\nReason: Sorry but the server is currently not accepting connections from never before seen players or guests. If you have played on this server with a byond account before, please log in to the byond account you have played from.") //Population Cap Checking @@ -66,7 +64,6 @@ world/IsBanned(key,address,computer_id) . = CheckBan( ckey(key), computer_id, address ) if(.) log_access("Failed Login: [key] [computer_id] [address] - Banned [.["reason"]]") - message_admins("Failed Login: [key] id:[computer_id] ip:[address] - Banned [.["reason"]]") return . return ..() //default pager ban stuff