Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Executing commands without the FCVAR_SERVER_CAN_EXECUTE flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented from being ran by the game. #436

Open
NathanL1370 opened this issue Jun 4, 2024 · 3 comments

Comments

@NathanL1370
Copy link

NathanL1370 commented Jun 4, 2024

This wasn't an issue before, but it seemingly now is.

Recent updates for Portal 2 caused commands without the server_can_execute flag (such as upgrade_potatogun) executed by point_clientcommand or point_broadcastclientcommand entities return FCVAR_SERVER_CAN_EXECUTE prevented server running command: upgrade_potatogun in the console. The command only goes through if said command is ran through a point_servercommand entity or ran manually by the client's console.

  1. Open Portal 2 and launch any coop map in splitscreen (ss_map mp_coop_lobby_3)
  2. Create a point_clientcommand or point_broadcastclientcommand entity by running ent_create point_clientcommand or ent_create point_broadcastclientcommand in the console
  3. Attempt to run a command without server_can_execute flag through the clientcommand/broadcastclientcommand entity by running ent_fire point_clientcommand command "<command without server_can_execute flag>" or ent_fire point_broadcastclientcommand command "<command without server_can_execute flag>" in the console (for example, upgrade_potatogun). The console should now return the FCVAR_SERVER_CAN_EXECUTE prevented server running command: <command without server_can_execute flag>. The example command is upgrade_potatogun, which does not have the server_can_execute flag, should return FCVAR_SERVER_CAN_EXECUTE prevented server running command: upgrade_potatogun.

I don't know if this change was meant to combat RCE exploits and crashes, or if it's a bug with the game.
I have tested this on Windows and Steam Deck, both platforms have this issue. Linux and Mac may also be affected.

Image showing the problem:
20240604143220_1

@NathanL1370 NathanL1370 changed the title Executing cheat commands in multiplayer with a point_clientcommand or point_broadcastclient command entity is prevented by FCVAR_SERVER_CAN_EXECUTE Executing cheat commands in multiplayer with a point_clientcommand or point_broadcastclientcommand entity is prevented by FCVAR_SERVER_CAN_EXECUTE Jun 4, 2024
@vrad-exe
Copy link

vrad-exe commented Jun 5, 2024

I noticed this recently too. This is actually unrelated to commands being cheats, the game now disallows remote servers from executing any command that doesn't have the flag FCVAR_SERVER_CAN_EXECUTE in code. You can see which commands have it by typing help <command>, and seeing if the output shows server_can_execute - it's not many.

This is technically a security fix (disallowing servers from running arbitrary commands on connected clients), and is enabled in every other Source 1 multiplayer game, but Portal 2 has never had it turned on until a recent update. I'm really not happy with the fact that this was randomly changed in an update 13 years after the game's release after hundreds of workshop maps have already been made which rely on the original behavior. It completely prevents a lot of cool/useful things that could previously be done in co-op with VScript/commands, further restricting what is probably already the most restricted Source 1 game when it comes to modding.

As a compromise, it would be nice to have a new cvar added which restores the original behavior. Said cvar should obviously not be flagged with FCVAR_SERVER_CAN_EXECUTE itself, since that would allow servers to just turn off the restrictions, but a user who specifically wanted that behavior or was playing a map which required it could turn it off themselves.

@NathanL1370
Copy link
Author

NathanL1370 commented Jun 5, 2024

I'm really not happy with the fact that this was randomly changed in an update 13 years after the game's release after hundreds of workshop maps have already been made which rely on the original behavior. It completely prevents a lot of cool/useful things that could previously be done in co-op with VScript/commands, further restricting what is probably already the most restricted Source 1 game when it comes to modding.

Now that you mention it, I am actually making a Portal 2 mod that ports the singleplayer maps to coop and it heavily relies on using commands without the server_can_execute flag. They are also executed through the point_broadcastclientcommand entity. With the latest update of Portal 2, point_broadcastclientcommand almost becomes entirely useless because those commands would be blocked by the FCVAR_SERVER_CAN_EXECUTE error.

This is actually unrelated to commands being cheats, the game now disallows remote servers from executing any command that doesn't have the flag FCVAR_SERVER_CAN_EXECUTE in code. You can see which commands have it by typing help , and seeing if the output shows server_can_execute - it's not many.

That's true, I should probably edit the title and description. Thanks for clarifying.

As a compromise, it would be nice to have a new cvar added which restores the original behavior. Said cvar should obviously not be flagged with FCVAR_SERVER_CAN_EXECUTE itself, since that would allow servers to just turn off the restrictions, but a user who specifically wanted that behavior or was playing a map which required it could turn it off themselves.

That would work, as long as said cvar can be changed through a point_servercommand in some cases. In the case of my mod that I am working on, it would definitely be required to be off at all times for my mod to work properly (and possibly other coop maps that rely on those commands).

However, leaving it disabled brings back the possibility that bad actors, trolls, and hackers can use it for remote code execution exploits, making the convar completely useless on what it was supposed to do, and could create more issues than solve them if not properly addressed.

@NathanL1370 NathanL1370 changed the title Executing cheat commands in multiplayer with a point_clientcommand or point_broadcastclientcommand entity is prevented by FCVAR_SERVER_CAN_EXECUTE Executing commands without the "server_can_execute" flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities is prevented by FCVAR_SERVER_CAN_EXECUTE Jun 5, 2024
@NathanL1370 NathanL1370 changed the title Executing commands without the "server_can_execute" flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities is prevented by FCVAR_SERVER_CAN_EXECUTE Executing commands without the "server_can_execute" flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented by FCVAR_SERVER_CAN_EXECUTE Jun 5, 2024
@NathanL1370 NathanL1370 changed the title Executing commands without the "server_can_execute" flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented by FCVAR_SERVER_CAN_EXECUTE Executing commands without the server_can_execute flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented by FCVAR_SERVER_CAN_EXECUTE Jun 5, 2024
@NathanL1370
Copy link
Author

#437 describes 2 commands that are affected by the FCVAR_SERVER_CAN_EXECUTE flag. More details there.

@NathanL1370 NathanL1370 changed the title Executing commands without the server_can_execute flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented by FCVAR_SERVER_CAN_EXECUTE Executing commands without the FCVAR_SERVER_CAN_EXECUTE flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented Jun 6, 2024
@NathanL1370 NathanL1370 changed the title Executing commands without the FCVAR_SERVER_CAN_EXECUTE flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented Executing commands without the FCVAR_SERVER_CAN_EXECUTE flag in multiplayer through point_clientcommand or point_broadcastclientcommand entities are prevented from being ran by the game. Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants