mirror of
https://github.com/VOREStation/VOREStation.git
synced 2026-02-08 23:29:52 +00:00
e4e25687b0
While browsing through my server's code looking for possible exploits to fix, i noticed the following : The autolathe can be used to duplicate any and all objs. The faulty code accepts any refID from the usr without a safetycheck to see if the requested obj is in the autolathe_recipes list. This works "only" on objs because it will trigger a runtime error if the object has no material vars. The default buildcost values for obj are zero, so it always goes through the materials-check, but it would not be sufficient to plug this exploit at this point. The trivial fix is to have a check to see if the given refID is in the autolathe_recipes list, although a datum-based construction method would probably be more robust. As basically identical autolathe code appears to be used in Baycode , /tg/, /vg/, Para, and all other builds i could look at, i assumed this exploit has been undetected since Goon. And indeed, the faulty code is present in Gooncode rev4407 and has been ever since.