Our sourceforge account was compromised and therefor the B3 projectfiles  are no longer safe to use.
Any windows installer and windows standalone version downloaded after 17 January 2015 might possibly be infected.
Run a tight anti virus check if you installed the windows binaries after 17 January 2015 or if you are not sure. (Report topic is here.)
Add your Plugin!

Add your own custom plugin to our download repository!

-- UPLOAD --
Donate to the B3 fund!

"even a small donation helps!"
Donate with PayPal!
Year 2015 Donations
Apr-16 embak EUR5.00
Mar-8 dobledosis USD5.00
Feb-17 |Brothers|-Chri... GBP10.00
Feb-8 [FTW]Banditas GBP5.00
Feb-8 oddball118 USD5.00
Feb-4 MordyT USD25.00
Developed with and
Most of the plugins here are made by B3 users and the authors may not visit frequently. If you need support for plugins or if questions remain unanswered, you will have to contact the author directly. Read the full Support Disclaimer here

NOTE: Do not attach plugins to your forumtopics! Attachements are periodically removed by maintenance tasks. Upload your plugins to our Downloads section instead!

Author Topic: login.py bug  (Read 1820 times)

Offline felixmole

  • Newbie
  • *
  • Posts: 8
login.py bug
« on: November 25, 2012, 01:44:10 AM »
Hi,

It appears login.py contains a bit of deprecated code in b3 1.7.1.

(in cmd_login())
Code: python [Select]

        if data:
            digest = newmd5(data).hexdigest()
            if digest == client.password:
                client.setvar(self, 'loggedin', 1)
                client.groupBits = client.var(self, 'login_groupbits').value
                client.message('You are successfully logged in.')
                return
            else:
                client.message('^1***Access denied***^7')
                return


There is, line 3, a comparison between a hash of the input password, and ... the client's /password (which is set client-side), instead of the client's password hash as in the server database.

I do not know what property the Client class has that refers to it. If someone familiar with the B3 core code could fix this, or tell me if I am wrong... Thanks!
« Last Edit: November 25, 2012, 01:45:53 AM by felixmole »

Offline Courgette

  • Senior Dev.
  • Hero Member
  • *
  • Posts: 4856
    • Github repository
Re: login.py bug
« Reply #1 on: November 25, 2012, 03:37:48 AM »
If I understand the code correctly, 'client.password' refers to whatever value is in the 'password' column of the 'client' table in your database. In the database, this value must not be the password in plain text but instead its md5 hash.
So the code compares a hash to a hash

Offline felixmole

  • Newbie
  • *
  • Posts: 8
Re: login.py bug
« Reply #2 on: November 25, 2012, 09:43:54 AM »
If I understand the code correctly, 'client.password' refers to whatever value is in the 'password' column of the 'client' table in your database. [...]
Well, it should, but it doesn't: after doing some debugging I have found out it refers to the client's /password setting (that can be used to access a private server or a private slot).

Client user-info as in the log file:
Quote
  6:35 ClientUserinfo: 15 \ip\x.x.x.x:27960\name\Zesco\password\some_password_here\racered\2\raceblue\3\rate\8000\ut_timenudge\0\cg_rgb\128 128 128\cg_predictitems\0\cg_physics\1\snaps\20\model\sarge\headmodel\sarge\team_model\james\team_headmodel\*james\color1\4\color2\5\handicap\100\sex\male\cl_anonymous\0\gear\GMIORAA\teamtask\0\cl_guid\THEIRGUID\weapmodes\00000110120000020002
For this client, client.password gives "some_password_here".

Offline 82ndAB.Bravo17

  • Dev. Team
  • Hero Member
  • *
  • Posts: 2191
Re: login.py bug
« Reply #3 on: November 25, 2012, 05:33:01 PM »
We have been using the login plugin for years, and it works fine with no issues - you must be misunderstanding something, or your mod is doing something really strange.

What game, and which mod are you using?

EDIT: Is it usual to have the password in the ClientUserInfo line like that, since it looks like it is that that is causing the issue?
« Last Edit: November 25, 2012, 06:43:39 PM by 82ndAB.Bravo17 »

Offline felixmole

  • Newbie
  • *
  • Posts: 8
Re: login.py bug
« Reply #4 on: November 25, 2012, 05:54:23 PM »
We have been using the login plugin for years, and it works fine with no issues - you must be misunderstanding something, or your mod is doing something really strange.

What game, and which mod are you using?
I use Urban Terror, vanilla B3 (Except a couple of minor modifications in plugin_admin.py but that's it).

when I insert self.debug("client password = %s; input hex'd password = %s" % (client.password, digest)), I can clearly see the user-defined /password for the first value, which is not normal.

If it works for you, I'm assuming this is a problem with the UrT parser.

EDIT: I have not tried to see if it worked normally when the user in question has no /password set
« Last Edit: November 25, 2012, 05:57:30 PM by felixmole »

Offline Courgette

  • Senior Dev.
  • Hero Member
  • *
  • Posts: 4856
    • Github repository
Re: login.py bug
« Reply #5 on: November 25, 2012, 06:45:02 PM »
There is indeed an issue as you found out. It is bound to the iourt41 and iourt42 parser (at least).
I will update the login plugin to prevent any misbehavior due to bugs or bad habits from the game parsers. Then I will also update the UrT* parsers.
Follow this topic for updates

Offline felixmole

  • Newbie
  • *
  • Posts: 8
Re: login.py bug
« Reply #6 on: November 25, 2012, 07:11:48 PM »
Thanks all for your input!

Offline Courgette

  • Senior Dev.
  • Hero Member
  • *
  • Posts: 4856
    • Github repository
Re: login.py bug
« Reply #7 on: November 25, 2012, 09:03:04 PM »
Could you replace your login.py file with this one and tell me how it goes ?

Offline felixmole

  • Newbie
  • *
  • Posts: 8
Re: login.py bug
« Reply #8 on: November 25, 2012, 10:18:17 PM »
Works perfectly. Thank you for your time.

Offline Courgette

  • Senior Dev.
  • Hero Member
  • *
  • Posts: 4856
    • Github repository
Re: login.py bug
« Reply #9 on: November 27, 2012, 01:14:50 AM »
fixes have been made to the UrT parsers (4.1 and 4.2)
Please update to B3 v1.9.0dev22 (or later) and report back any issue

 


Rate this page +1 at Google Search