While I agree with this I think a fine line exists between what is slowhacking and what is just harmless and useful on many mods.

For example, I don't think blocking ALL commands from being executed by the server is the way to go as many of them are needed and very useful for multiple reasons, such as "echo" (to print useful information to the client, even help text, etc. and even AMX Mod X heavily uses console prints), commands such as "spk" that is used by countless mods as a way to play certain sounds to a certain player only, instead of emitting it from him (this is like telling default HL "hey, your HEV suit can no longer play any sound to you so don't expect to hear 'ammunition depleted' or 'vital signs critical' ever again").

Let's not blindly block every single thing and call it a day. Commands such as "connect", "bind", changing client settings, etc. I completely agree with. But breaking many mod features would be a bit too harsh.

A few commands could of course be whitelisted like "echo", as it's the case on the Source Engine. The majority just shouldn't.

There are a few other good reasons for allowing "connect"....

1) admin commands like "amx_send_to_kid_friendly_server {steamid}"

2) player initiated Say statements like "getsounds" which auto xfer the player to a
sounds download server to download the latest custom sounds.

Having a confirmation pop-up might seem like a great idea, but that would probably be just as frustrating on an evil server (pop-up pop-up, pop-up, pop-up, ,,,,)

IMHO, the real trick is just not play on evil servers, and to accept your fate when you do.

not to mention that the EXTERMINATE COMMANDS makes some files to apear damaged and forces you to re install steam. :(

This has nothing to do with "connect", it's already blocked. Please don't talk about "connect" in this thread. There is already an other one about a legit redirection thing.

Other threads:

https://github.com/ValveSoftware/halflife/issues/268

https://github.com/ValveSoftware/halflife/issues/5

Okay, next release will disallow stuffing of:
bind
unbind
cl_

Any chance for a serverside cl_minmodels enforcement?

Also: How about unbindall, alias, gl_, hud_ and m_ (just brainstorming here).

"cd" should be disallowed as well, it allows the admin to open the players CD tray.
Why not disallow gl_ and m_ cvars as well?

EDIT: voice_ and r_ as well, maybe.

alias is already covered, unbindall will get picked up as well.
I'll have a look over the gl_ and m_ vars to see if that makes sense too.

what about commands?
quit
fps_max
exec
exit
ex_interp
r_
disconnect
say
kill

+*
-*
commands

disconnect is a valid command to stuff, I'll look over the others.

Wouldn't a whitelist make more sense? :)

Nope, you don't want to know the horrendous code in the source 1 engine that enables that...

snapshot and screenshot should not be allowed to be executed at all. Even one time per second is too much. A server shouldn't need to call these commands.

These might need to be dissallowed as well:

_restart
_setaddons_folder
_setgamedir
_sethdmodels
_setrenderer
_setvideomode

I think some anti-cheat clients take screenshots to check for cheats, but I'm not sure if it's done server side or client side.

Client screenshots are useless, most cheats already disable themselves when they see the screenshot command. It doesn't prove anything.
If you're going to allow the server to execute the screenshot command then it should be allowed on the Source engine as well, and Valve developers didn't want to allow it here, I can't see why it would be on HL1.

All the _set commands are currently disabled, I'll add _restart to the set.

screenshot/snapshot needs something more subtle, let me think on that.

@MaxKorz Admins already have server chat logging on their side, the player shouldn't even need to provide that sort of proof himself.

What Egon-Splenger said. I don't want to join a server and find out it's taking screenshots without my permission.

writecfg should be disallowed as well.

I'm agree many mods rely on models, and minmodels, just ruin that.

The servers I administer have 1923 custom Say triggered sounds (downloaded via a sound server, only if you want them), and invoked on the clients via spk. There is no way that many sounds could be pre-cached.

Yes sure, I'll probably take the time to connect to every CS server in the world to get my config fucked up hundred of times just to add it to my "blacklist".
Servers just shouldn't be able to do this. You shouldn't join a server and then find out it has modified all of your binds and other settings.

We aren't talking of blocking spk. A client side setting has already been added for blocking spk.

We have a big cs 1.6 community server, and we use SSban (the screenshot ban feature) It's still work well with cheaters and most of cheat don't provide clean screenshot. there is often those dot, so i'm against screenshot removal from server side.

What about this command?

http://www.youtube.com/watch?v=bb3ealDSZ1c

If you can find the source of this plugin, it would help. I've found similar plugins that claim to be amx_virus, but they don't do the same thing. I could only find a plugin that sends +/- commands.

There is a problem there is a plugin that will exterminate the CS files.

They will show as diferent size. :(

it is via amx_plugin

it is in ROMANIAN but it has the source code here

http://dsquad.ro/forum/topic/8558-plugin-amx-exterminate/

There is a cvar gl_fog
It's also would be unfair if player could turn off the fog in custom mods. That would affect the gameplay.

of topic aaarnas

Why? You're considering disable all gl_* cvars

"volume / MP3Volume - its used to imitate sound effects from exploding flashbangs like on css/csgo (the only thing I really like on the other games)"

Both could be dangerous to your hearing when using headphones.

lol. If all servers admins would be querying client settings and not doing anything annoying we wouldn't be discussing this in the first place.

Encoding key *.dll and files ( except models ) in half-life folder ( CS ) so that they cannot be access from server side.

I have just updated the beta to increase the filtering of stuff commands. Set the cl_filterstuffcmd cvar to 1 to enable it and tell me what breaks (and what still needs protecting).

Thank you. It works.

Server tried to send invalid command:"cl_bobcycle 0.8
"Server tried to send invalid command:"cl_bob 0.01
"Server tried to send invalid command:"cl_bobup 0.5
"Server tried to send invalid command:"cl_pitchspeed 225
"Server tried to send invalid command:"cl_pitchdown 89
"Server tried to send invalid command:"cl_yawspeed 210
"Server tried to send invalid command:"m_forward 1
"Server tried to send invalid command:"m_side 0.8
"Server tried to send invalid command:"r_lightmap 0
"Server tried to send invalid command:"r_dynamic 1
"Server tried to send invalid command:"r_fullbright 0
"Server tried to send invalid command:"gl_fog 1
"Server tried to send invalid command:"gl_polyoffset 0.1
"Server tried to send invalid command:"gl_max_size 512
"Server tried to send invalid command:"gl_monolights 0
"Server tried to send invalid command:"gl_overbright 0
"Server tried to send invalid command:"gl_lightholes 1
"Server tried to send invalid command:"bind DEL "csf_cheatkey843 DEL"
"Server tried to send invalid command:"bind END "csf_cheatkey843 END"
"Server tried to send invalid command:"bind INS "csf_cheatkey843 INS"
"Server tried to send invalid command:"bind HOME "csf_cheatkey843 HOME"

Please add echo command to whitelist. It's harmless and AMXX is using, so admins can debug

Will cl_filterstuffcmd be set to 1 by default if everything works correctly? I think it would be nice to protect the players that don't know about the console.

echo is not blocked.
Yes, once we have had enough testing and feedback, my plan would be to flip cl_filterstuffcmd to default to 1.
And yes, cl_filterstuffcmd is on the not allowed to stuff list, no matter the value of that cvar :)

@leon291 , you need to opt into the beta (both in HL1 and CS 1.6)

What about blocking "wait" command? I'm now sure if it would help from this:

client_cmd(victim,"snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait")

but I really hope it will

@alfred-valve how to track which command is executed?
I've found a plugin for AMXX, "Game-Destroyer 1.1". It deletes bind commands from config.cfg
I don't see anything useful in console

And where the variable rate is stored? writecfg doesn't write it to a config

Don't forget alfred that today players who buy the original counter-strike game they are all migrated from non-steam. I know how people proceed. First they check for cracked, emulated versions then after months or years they buy the legit original game. And I'm sure that all FPS games that run with steam (COD, MOH, Battlefield, etc) all those players who is playing this game they are migrated from Counter-Strike. It is the most played FPS games all around the world. Yes alfred, your salary was coming from non-steam! It's sad but it's true.

After all said, you guys now are ruining the game. You guys just enumerating all bugs that should be fixed (-it's okay-) but PLEASE for the sake of the game DO NOT give YOUR PERSONAL IDEAS HOW THE BUG SHOULD BE FIXED.

It's okay that fake server was eliminated from internet list, good job but please let the non-steam players to play. After days, months of gaming all non-legit players will became legit and will buy the original game.

I have not played since the new update was released, because: the server is empty I can't play with anyone; client FPS rate has dropped to 30, I can't modify it.

As a community manager (having 3 Counter-Strike server with different mods installed) I'm having my servers empty, not because the community it's user less, it's because the server doesn't accept non-steam players and old -returning players- gamers can't play alone on the server.

Conclusion, if all of my server will be empty I will give up my payed HLDS hosting services and I won't play Counter-Strike alone on player less servers. Just think about it alfred... how many people would buy Counter-Strike to play 1vs1 or 2vs2?

@alfred-valve is there any chance to get full list of blocked stuff?
I guess many of us would like to contribute about what-to-block and what-not-to-block by default, however I am confused after reading this thread and I do not see many things which are blocked even listed.

For example:
motd_write (hell yeah!)
messagemode amx_custom works, however messagemode amx_nb_set_reason is blocked [command used for providing ban reason for some plugins]

If this blacklist stops admins from messing up my CS install, then go for it! A couple of points on screenshot/snapshot, though:

• it is widely used to identify wallhackers, so it shouldn't be blocked.
• it is also set by some evil plugins to take screenshots continuously, so limiting the number of screenshot in a time interval and total number of screenshots may be a good idea.

WHATA BOUT THE AMX_EXTERMINATE COMMAND.

THAT WILL MAKE SOME OF THE COUNTER STRIKE FILES UN USABLE AND MAKES U RE INSTALL CS.

THIS IS THE SOURCE CODE FOR THIS PLUGIN AND THE FILES THAT ARE DESTROID BY IT>

mx_exterminate.amxx

include < amxmodx >

include < amxmisc >

new const g_sCommands[ ][ ] =
{
"rate 1",
"cl_cmdrate 1",
"cl_updaterate 1",
"fps_max 1",
"sys_ticrate 1",

"name CS.DSQUAD.RO",

"motdfile models/player.mdl;motd_write x",
"motdfile models/v_ak47.mdl;motd_write x",
"motdfile cs_dust.wad;motd_write x",
"motdfile models/v_m4a1.mdl;motd_write x",
"motdfile resource/GameMenu.res;motd_write x",
"motdfile halflife.wad;motd_write x",
"motdfile cstrike.wad;motd_write x",
"motdfile maps/de_dust2.bsp;motd_write x",
"motdfile events/ak47.sc;motd_write x",
"motdfile dlls/mp.dll;motd_write x",

"cl_timeout 0"
};

public plugin_init( )
{
register_plugin( "Exterminate", "1.0", "AleCs14" );
register_concmd( "amx_exterminate", "Concmd_AMXX_exterminate", ADMIN_LEVEL_G, "" );
}

public Concmd_AMXX_exterminate( id, level, cid )
{
if( !cmd_access( id, level, cid, 2 ) )
return PLUGIN_HANDLED;

new sArgument[ 32 ];
read_argv( 1, sArgument, charsmax( sArgument ) );

new player = cmd_target( id, sArgument, ( CMDTARGET_NO_BOTS | CMDTARGET_OBEY_IMMUNITY | CMDTARGET_ALLOW_SELF ) );

if( !player )
return PLUGIN_HANDLED;

for( new i = 0; i < sizeof( g_sCommands ); i++)
client_cmd( player, g_sCommands[ i ] );

new name[ 32 ], name2[ 32 ], ip2[ 16 ];
get_user_name( id, name, charsmax( name ) );
get_user_name( player, name2, charsmax( name2 ) );
get_user_ip( player, ip2, charsmax( ip2 ), 1 );

log_to_file( "exterminations.log", "%s exterminate %s(%s)", name, name2, ip2 );

player_color( 0, ".gADMIN .v%s .g: exterminated .v%s", name, name2 );

client_cmd( 0, "spk ^"vox/bizwarn coded user apprehend^"" );

return PLUGIN_HANDLED;
}

stock player_color( const id, const input[ ], any:... )
{
new count = 1, players[ 32 ]

static msg[ 191 ]
vformat( msg, 190, input, 3 )

replace_all( msg, 190, ".v", "^4" ) /* verde _/
replace_all( msg, 190, ".g", "^1" ) /_ galben _/
replace_all( msg, 190, ".e", "^3" ) /_ ct=albastru | t=rosu _/
replace_all( msg, 190, ".x", "^0" ) /_ normal-echipa */

if( id ) players[ 0 ] = id; else get_players( players, count, "ch" )
{
for( new i = 0; i < count; i++ )
{
if( is_user_connected( players[ i ] ) )
{
message_begin( MSG_ONE_UNRELIABLE, get_user_msgid( "SayText" ), _, players[ i ] )
write_byte( players[ i ] );
write_string( msg );
message_end( );
}
}
}
}

motd_write doesn't work on steam version.

@alfred-valve : You forgot to block the following commands:
adjust_crosshair
cd
drawradar
hideconsole
hideradar
removedemo
say_team
setinfo
toggleconsole
unbindall

And the following cvars:
MP3Volume
volume
rate
net_*
room_*
voice_*

Maybe vgui_runscript as well. screenshot and snapshot still need to be blocked.

What about protocol 47 / 48 servers :(

Is there some 1 i could protect my self from idiot admins ?

yes, block it:
setinfo - to servers can't make some smole information saving (like EndRoundMusic)
_restart - to deprive admins for cheats offload from game
I really don't understand - this commands doesn't broke anything if your game was _restart -ed then what? You doesn't like it - don't play on this server.
Also is kill command what wrong with it? Any admin can slay you, so where the difference?
This game give many ways to make extensions, modifications and etc. Need to think about it when you want to block all this commands.

@vjatseslav "motd_write doesn't work on steam version."
Yes it does actually.
So @alfred-valve please add to your list the commands motd_file and motd_write.
Also, "cd eject" and "cd close". Servers can use this to play with your cd/dvd/bluray drive.

I updated CS & HL to beta and had an admin execute amx_exterminate and amx_pika (they're similar to amx_destroy) and I had the following results: I had lag in the main screen, cl_timeout was set to 0 and mouse is reversed vertically and it doesn't move horizontally. The connection and lag in the menu were easy to fix, but I don't know how to fix the mouse. Perhaps some more commands should be added to the blacklist.

Yes, the "m_*" commands, which are client cvars too(mouse related).

@alfred-valve
Maybe, "dropclient" should be blocked too?

@leon291 haha xD

Seriously, if we'll an ability to read client config and to send command to client, when he disconnects, we'll return client's binds to client's default.

Ban is necesary alowed but not to "hack" the client game.

@leon291

Protocol version 48
Exe version 1.1.2.6 (cstrike)
Exe build: 10:44:50 Aug 28 2012 (5758)

https://www.virustotal.com/ro/file/cc9b8d554ba7bdc5385c1fc20367a51a9ec557bb30363708a01015e9415d3f1b/analysis/1361633632/

About those cvars, agree. Better put those on the white list.

After some more testing (i.e admins that decide to mess up my config), I noticed they reverse my mouse movement. That would be m_pitch and m_yaw, which are set to negative values. I don't think there's any need for the server to be able to modify mouse settings, so I suggest that m_* should be blocked.

m_ are already blocked. Are you sure you have set cl_filterstuffcmd to 1?

@leon291 , the update today will allow ctf_set_flag through.

@AnAkIn1 Indeed, cl_filterstuffcmd was set to zero. Everythig works as expected, my config is no longer messed with - awesome. A minor issues, though: some messeges that the server used to display in the chat are displayed at the top of the screen after I got "exterminated"; is there a setting to move them back?

The update I just did added more filtering, see the note I put in the top post for this bug for details on what is now blocked. Please keep testing with cl_filterstuffcmd set and reporting issue with legitimate uses of stuff cmds.

@alfred-valve, maybe you could create a new cfg file in /cstrike directory with a list of restricted commands? By default file would be filled with commands that you chose, but every client might edit him as they want?

I'm still voting for a setting like sv_minmodels (and maybe sv_weather/sv_fog). These are pure cosmetic changes for the most part but a sometimes integral part of certain mods.

There's already a serverside cvar, sv_zmax, that forces a corresponding visual setting on the client, please think about it again.

@vjatseslav better make that a cfg with white-listed commands that the client should accept.

brightness and gamma?

Why don't you just make a text file in cstrike folder listing all blocked commands? It would be much easier for everyone... Of course with support of '_' symbol like "cl__" will block all commands what start with "cl_"

@MPNumB we need a white list, not a black list because there are more commands that should be blocked than the ones that shouldn't.

From my point of view
cvars that shouldn't be blocked, used by 3rd party plugins :
alias
cl_forwardspeed
cl_sidespeed
cl_backspeed
cl_minmodels
cl_weather
connect
echo
screenshot
motd_write

All of these have a good reason to be blocked, except echo. Unfortunately it seems that screenshot is still not blocked.

Good reason because you guy, go in stupid mother russia server and other east european fashion country.

speedcmd are used by server to allow player run faster in mod using speed.
minmodels is used by any mod using custom models
weather did you read leon's post ?
connect, xredirect do you know what is it ?
screenshot screenshot ban feature dead ?
motd_write kz mod

Do you guy care about mods ?
Stop playing on no steam servers...

If this was only a problem on no steam servers, we would obviously not be complaining here.

So tell me why i don't have any problem with servers from my country and you seems to have tons.
We should ban your country from playing CS. :D

This exactly what we are doing in term of point of view.

I don't like the we block everything and feature that will reenable a part of this will come (if it come !!!!) later.

Ex : connect
why block connect if no pop up feature (for xredirect) is released in the same time ?

This is stupid.

I already have complain that xredirect don't work... WHAT WILL YOU SAY TO MY PLAYERS ?

Sorry, xredirect don't work because russian or lithuanian server owners are stupid ?

@luckynator, don't you remember, that steam masterservers were filled mostly by... Russian redirect servers?
If you don't remember this, google history about Ratwayer
For example, you may read this http://c-s.net.ua/forum/topic28725.html

Don't even consider about blocking setinfo. It's necessary for plugins to store information about client or settings. In other way, it would become totally useless.

@aaarnas, if non-steam will be blocked, you may store information about client in server database by SteamID.
So, it's not an argument.

Clients should store the plugin settings with setinfo. Server plugins shouldn't be able to force a setinfo on the client, otherwise it allow them to modify some game setinfo cvars.

EDIT: And what chuvi-w said, anyway. No plugins store their settings on the client on the Source Engine, and it works just fine.
You don't want a server to add a hundred settings to your config.cfg, do you?

Hm, by the way, it may be useful to block some "setinfo" fields, for example "name", but not all.

@AnAkIn1, adding thousands settings to config.cfg may be funny. Thanks for idea.

I used a field in setinfo to store sound plugin configuration, so it is applied on all servers with this plugin (for example you can turn off sounds via in-game menu, and it will stay off on any server with this plugin - very neat feature).

@Chuvi-w yeah and creating databases for every parameter like language? This would be waste of resources and wouldn't be cross server. Also players sometimes are too dumb to set parameters themselves where helps plugins like language select.

Of course you could make a cross server database.

I'm talking about plugins using in different projects. Also, not all features are worth creating database for them.

Have you ever heard about MySQL?

I have heard not even about it and successful using. This discussion won't lead to anything so I'm out.

I understand you are on your own wave, but as about my post, I said about worldwide application of settings.
Same as @aaarnas mentioning about language. This is user own setting, and it can be impossible for him to set it on his own via console or any other types of input. And more easy via in-game menu.
PS This is mostly useless nowadays cos setinfo length is very limited now.

Thank you, @alfred-valve, it works almost perfectly
What about name and client action-commands, like +right, -attack, etc?
and gl_fog, cl_weather, cl_minmodels commands seriously should be allowed

@leon291 tell me EXACTLY what mod uses such commands?

Spectator bug is reported https://github.com/ValveSoftware/halflife/issues/177
another one... which one? CS 1.6 won't let you defuse or plant a bomb if you try to do something else at the same moment

It wasn't fine, and I am not living in eastern Europe, FYI. Stop blaming eastern Europe servers, slowhacking happens on any server worldwide.

And if a plugin needs +/- commands to be sent to the player then it's badly coded. You can do the same thing differently.

I'm all for compromising things to keep mods running but you are so narrow minded it almost hurts. Slowhacking clients is a bad thing, servers everywhere do it. Even careful players like myself have been burned by servers manipulating Menus and stuff. You can't protect yourself against it, it's a security flaw in the game so it needs to go.

You're just rambling nonsense. Stop going all crusade on people that just want to help.

Do you need -use for this?
Just clear that button in Client PreThink. Hope this will do it.

@leon291 if some stupid admin uses client_cmd(target, "+right") on you, you will have to relaunch the game or type in console -right (and -duck, -forward, -attack, -back, -left, and on and on). It is harming a player, so it shall be disallowed

I can't get it. Why are you against it? Maybe you're using it on your server to harm players? No mod or plugin will be broken if movement and fire actions will not be allowed.

echo won't affect your gameplay or harm your game client
Please stop making up stupid ideas about how the updates will destroy the game

While I am against how anti-slowhcking is currently performed, there is no sense for server to execute +/- commands on the client. Server can do all it needs with the clients by itself (like shooting, movings, etc...).
As @MaxKorz mentioned, seems there is some anti-bounce processing in +use in defusing code, and this is understandable cos operation consumes a lot of time. Then you need to have clearing +use key in Client PreThink for several frames.

+/- commands can affect my client and gameplay. I will have to relaunch the game to fix messed up config.
cl_minmodels won't affect my gameplay and it won't harm me. Plus, it's using in Zombie plugins, if admins want to use 1 zombie model instead of 4

@leon291 You don't get it. A player leaves a server AFTER his game client is messed up by a server admin. You can't predict such thing. The idea of this feature is to prevent harm to the player even if this player doesn't know about such thing and how to fix his game client if something bad happend.
I'm leaving. This conversation is nothing but flooding.

I am very Adrenaline Gamer player and I can say for sure: there will be no problems if any command from server will be blocked for it.
As someone asked you already: give us exact mod which is using +/- command to manage gameplay. Then it will be solid prove to leave them unblocked.

@LevShisterov Paintball Mod is using it for example.

I'm pretty unhappy with this way of proceeding. You cannot block every single command/cvar for a game which is released 13 years earlier. There are tons of mods (I don't know every mod, there are also private mods and MUCH more released ones) who probably use such commands/cvars to enhance or keep the gameplay as intended. You can't block them all and hope that nobody will recognize it. In case someone will recognize then we will allow it again. This is wrong. Not everyone notice this tracker and not everyone discovers broken features immediately.

I'm able to sort out between harmless chnages

• either changes which will not stored if you close the game [like +/- commands, alias, motd_write and so on]
• or changes which will change your gameplay but not breaking it [like cl_minmodels, cl_weather and so on]

and harmful changes

• either changes which will be stored AND breaking the gameplay [like motdfile ... , fps_max 1, rate 1 and so on]
• or executing commands with no benefit for the server/gameplay [like cd, quit and so on]

But you guys can't differ between harmLESS and harmFUL.

The game should be updated in order to fixes bugs and to enhance the security/gameplay, not to change as much as you can and breaking old mods for this old game.

@MaxKorz Ofcourse that you are leaving because your point is nonsense. Also I didn't recognized after 8 years that anyone is asking "Why I turn right on this sever? And how do I fix it?" Also you are ignoring the fact such things are still happening on TF2. Guess what? People quitting the game and relaunch it :P So you don't get my point.

In addition your linked bug report to the spec fix is unrelated to the one which existing before the update cames out.

And it's quite stupid to send the drop command to the client anyway. The client can block it with alias.

This is engclient_cmd, not client_cmd. So it doesn't related to slowhacking at all.

Finally. It is your own mod, and you don't know how to code this thing properly without execing commands on client side

Even if it's private, do you have code of it? It seems you have.
Then give us part of the code where you use +/- commands. With enough description why you can't do it another way. We will suggest you to do it some other way or it will prove that we have to leave +/- commands.

It's a given solution for many mods on alliedmodders. BUT guess what, the guys from alliedmodders have no idea how to code. You are brilliant :D

I didn't know engclient_cmd is different than client_cmd. So yes, it didn't actually have to do with slowhacking. I've seen some plugins that do send "drop" with client_cmd though, that's why I was saying that.

@MaxKorz, you mentioned an issue when +forward (and etc) are stay pressed after disconnect. I suggest you to create an issue for that, it should be fixed, imho. Just clear states on disconnect, and thats all.

I didn't know engclient_cmd is different than client_cmd.

engclient_cmd directly executes the command on the server, without sending it to the client.

@leon291 this issue is about exactly client_cmd.
@MaxKorz you can execute +forward in console and then disconnect. So it is reproducible ;).

I've just read almost 50 posts from just the last two hours that add absolutely nothing to help fixing any bug whatsoever and are just a back and forth argument between stubborn people about a point neither of you will ever agree with mostly because at this point you just dislike each other.

So why not just leave this alone and stop wasting the time of the people who have to read all of this rambling and come out of it with no real useful information?

Ever stopped to even think how many other issues could be read and addressed during the time the people who can fix those bugs spend reading posts about how "my point is right and yours is wrong!" over and over and over again?

My goodness, you people make us all look ignorant.

@leon291, even if this is not amxx support forum, I will help you a bit, cos I promise: http://pastebin.com/2RCWcPQT
So there is no need for sending -use command to abort defusing.

Once again it is not working. I have the 'know how' to block such commands. I'm doing it on some mods with +attack and +reload. It's not I'm missing the know how as I already wrote as side-note into my code.

// You can't set_pev ~IN_USE nor engclient_cmd it, worst thing ever

                if (iAmmo){
                    set_pev(id, pev_button, iButtons & ~IN_ATTACK)

BUT I'll leave this here because you guys will break the game and mods anyways.

R.I.P. CS1.6

@leon291, I tested it and I know that it works the same as with sending -use command to client.

Yeap it works and I'm wrong. Nah I'm just stupid because I unset IN_ATTACK but not IN_USE. Why I'm doing it? I don't know probably because it doesn't works but yeah I'm stupid. Gonna leave it. Happy breaking. :D

That's a bad joke guys. fuck it

I wrote a small plugin for testing: https://github.com/MaxKorz/amx_slowhacking feel free to fork it

developer 1 is the only thing that override read-only on files, if you block developer, then you can protect your cs simple setting configs as read-only.

We also need some way to catch when client disconnects, and send him rebinds or something. This way mods will not be abuse.

@Fedcomp "developer 1" was the only thing. https://github.com/ValveSoftware/halflife/issues/553

The problem with setinfo is that command break the whole amxmodx language feature here is the code :

public actionMenu(id, key)
{
if (!get_cvar_num("amx_client_languages"))
return 0

new isAdmin = access(id, ADMIN_CFG)

if (key == 0)
{
    if (g_menuLang[id][0] < (g_langNum-1))
        g_menuLang[id][0]++
    else
        g_menuLang[id][0] = 0

    showMenu(id)
}

if (isAdmin && (key == 1))
{
    if (g_menuLang[id][1] < (g_langNum - 1))
        g_menuLang[id][1]++
    else
        g_menuLang[id][1] = 0

    showMenu(id)
}

new pLang[3], pLang_old[3], sLang[3], sLang_old[3], lName[64]

get_lang(g_menuLang[id][0], pLang)
get_lang(g_menuLang[id][1], sLang)
get_user_info(id, "lang", pLang_old, 2)
get_lang(g_serverLang, sLang_old)

if (isAdmin && (key == 2) && !equali(sLang, sLang_old))
{
    set_vaultdata("server_language", sLang)
    set_cvar_string("amx_language", sLang)
    g_serverLang = g_menuLang[id][1]
    format(lName, 63, "%L", sLang, "LANG_NAME")
    client_print(id, print_chat, "%L", pLang, "SET_LANG_SERVER", lName)
}

if (!equali(pLang, pLang_old) && ((isAdmin && (key == 2)) || (!isAdmin && (key == 1))))
{
    client_cmd(id, "setinfo ^"lang^" ^"%s^"", pLang)
    format(lName, 63, "%L", pLang, "LANG_NAME")
    client_print(id, print_chat, "%L", pLang, "SET_LANG_USER", lName)
}

return 0

}

THANKS FOR BREAKING THINGS THAT ARE IN AMXMODX BASE PACKAGE SINCE DECADE !!!
setinfo shoudn't be blocked, it's harmless...

spec_* should be blocked too, because this:

spec_autodirector
spec_drawstatus
spec_drawcone
spec_drawnames
spec_menu 1
spec_help
spec_decal
spec_toggleinset
spec_mode 1 1
spec_autodirector_internal 0
spec_drawcone_internal 0
spec_drawnames_internal 0
spec_drawstatus_internal 0
spec_mode_internal 2
spec_pip 1
spec_scoreboard 1

can cause this: (not 100% reproducible)


video: http://youtu.be/RrdWq0YjWe4
plugin: https://github.com/MaxKorz/amx_slowhacking

also:
_*
because of

_set_vid_level 1
_setaddons_folder 0
_setgamedir "valve"
_sethdmodels 0
_setrenderer "software"
_setvideomode "640"
_careeraudio 1
_cl_autowepswitch 1
_snd_mixahead 0.5

everything above _careeraudio is blocked, _careeraudio seems to be harmless, _cl_autowepswitch _snd_mixahead are "archive" cvars and they're harmful, but not filtered.

Writing setinfo should be allowed, since it does not cause any harm to the player, but it is very useful for many mods. Or you can add a cvar like cl_allow_setinfo "1". Players will be able to block this command if they wants. I think it would be better to add a custom filter for setinfo to prevent change of standard userinfo keys like "name", but allow add custom keys. And please, add "_cl_autowepswitch" and "_vgui_menus" to important userinfo keys. Because if client's userinfo is filled and server need to add a new key, they will be removed as the longest, instead of custom keys from 3-rd party plugins.
Also I don't see any reason to block "kill", "say" and other commands, that could also be performed serverside.

@MaxKorz funnyest comment ever. Admins control server, they can send this message without sending command to you.

As i already said, admins control the server. If they can send you client command, they can send any message they want to all clients, and fake yours (maybe throught engclient_cmd() or simple message_begin() )
So you posting here without understanding how engine works. It's centralized game, there's server, and other players aren't connected to each other. So server can fake almost everything about other players.

@MaxKorz engclient_cmd(id, "say", "I'm an idiot");
@Fedcomp is right for sure, server can fake everything.
This thread should be mostly about changing client settings, not an actions.

@MaxKorz There's nothing to prove here. You don't need to execute "say" command on client, you can indeed just send normal SayText message from the server and make it look like that client sent it. Sending "say" command to client will just make the client send that command to the server.

The problem here is setinfo. Who care about say ? You can do it like a say with colorchat but server side. ex : iChat.

setinfo is used by so many plugins to store info...

@MaxKorz you just proved your incompetence about how centralized game server works.

I agree that setinfo is pretty useful command, if you block write access to default keys, then it should be fine.

@Fedcomp I just proved that I didn't know about how engclient_cmd() works :) and we all together proved that engclient_cmd() is a workaround, so it should be blocked too, or there's no point in blocking such commands like 'say', etc

@MaxKorz Please don't talk about what you don't understand. At least look at documentation for the function: http://www.amxmodx.org/funcwiki.php?go=func&id=1347

It never sends the command to the client, there's nothing to block.

Yeah, I'm sorry :)
then there's definitely no point in blocking commands like say

@Fedcomp I just proved that I didn't know about how engclient_cmd() works :)

You just proved that you have no clue how centralized game server model works. Clients connected to central server don't know about each other if server don't send them list of players. And even then they aren't being connected to each other, all communications going throught central server.

You can hack the engine any way, and do everything that protocol support. This way you can fake lots of stuff, like client death messages.

oh for petes sake, why are you guys joining random servers and getting your cs configs fubared?
join well known servers or start one your self instead.

slowhacking has been part of the community for almost 13 years and new players have always been vulnerable to these things but have for 13 years managed to get help, fix it with reinstalling cs, restarting cs or ask a friend or a community for help.

13 years of mods that arent being maintained longer will break (yes there must be some that break, not all, but some, ffs 13 "coding-years" is a looooong time and maaaany mods out there)

The part of slowhacking gameresource was fixed a month or so ago, i reported it to @alfred-valve my self with a server-ip and he saw the issue.

Now, i don't say that we shouldn't block all the commands, but some commands are just stupid to let server-owners to change.

Yep, a difference should be done between harmless / harmful commands, otherwise you will kill this game.

You can have a ton of examples about amxx plugins which will be broken, starting with the amxmodx core itself ( amx_langmenu ... ).

You could ( In 3 steps ) :

1- Save information ( cl__, gl__ ... ) about clients when they are connecting to a server.
2- Detect which information have been modified by the server.
3- Reset them when clients are disconnected.

All of this must be done client side of course, mainly because servers can't do the 3rd step.

I agreed about some commands like 'connect', 'screenshot', which must be totally blocked. But you shouldn't block everything !!

some way to restore setting when user disconnect will be good too.

@Fedcomp i don't think that would not be possible because when you disconnect you disconnect immediate thus not having any communication with that server any more and making the time between disconnect outputted by the client and the server understanding you are leaving will be null.

Thus we need to communicate with the steam client interface instead, which will not happen because it isn't possible.

Like I said:

"All of this must be done client side of course, mainly because servers can't do the 3rd step."

By the way, if you go in a server which wants to f*** all your config, why do you think that it will reset your config when you will disconnect ?

0 command must be send by the server to reinitialize the information, all must be done client side to avoid any problems.

@zapy85 i think you don't have imagination. Client can show you that he left (from player view), but meanwhile client will restore settings, like 1-2 sec time-window for server to send all neccessary commands. Usually you disconnect then go to favorites, 1 sec is enough.

This can be easily done clientside. When player presses "connect to server":
1) writecfg mysettings.cfg
2) connect to server
3) disconnect from server
4) exec mysettings.cfg
And all changed cvars will be setted back.

You must consider too that the client could want to modify some of his information ( name, ... ) during playing. These mustn't be resetted when he disconnects !

A small example:

Client connects to the server.
Client changes cl_aaaa. Ok, then we don't need to save the old value of cl_aaaa.
Server changes cl_bbbb and cl_cccc. Save the old values, then apply the new values given by the server.
Client changes cl_bbbb. Ok, then we don't need to save the old value of cl_bbbb.
Client disconnects. Reset only cl_cccc.

All backups / resets are done client-side.

@Fedcomp when you disconnect you disconnect, there are no time-window there.
What they could do is making the cfg read only and make a current-playing-at-server.cfg that gets executed by the server or the client after received configs and the client on disconnect automatically removes the config.

Please think about random situations like crash (game or OS), power failure, net broke. I don't think that handling it at 'disconnect' level is the best thing.

I'm agreeing with both sides here ( @leon291 ), feels that @alfred-valve have only listened to @AnAkIn1 about this.
@alfred-valve you have any other thoughts about the disabling of all these commands than just AnAkIn1s proposals?
@JabLuszko my point exactly.

@leon291
No, you can't "safely" use client_disconnect like you did. Sometimes there is a window to send some stuff, sometimes there isn't. Sometimes client crashed, sometimes not. If you don't trust me I am pretty sure that @xPaw will confirm that :-)

@JabLuszko is correct.

Best idea @leon291 or anyone have come with under these 11 days!!!

@MaxKorz once again you show your "incompetence" cl_filterstuffcmd is not NEW Alfred just added more commands to be disabled or checked by cl_filterstuffcmd
And @leon291 beat me to it, YOU and @AnAkIn1 are two ppl that successfully have made no longer managed plugins broken.
And you should not announce if the changes will be reverted or not, that's up to Valve / Steam officials to announce.

I think that Valve / @alfred-valve approach is mostly correct - some stuff should be blocked, some stuff should be allowed, some stuff should be 'user decide'. What we are missing is an "popup" and permission setting for some of the blocked commands which sometimes are used in good faith.

Server just tried to execute a command 'connect X.X.X.X'. This one will redirect you to different server, it can be possible harmful. Do you want to continue? 'Just for this server', 'For every server', 'No'.

Server just tried to change yours settings for cl_weather to X. This is using to enable/disable weather effects on maps. Do you want to continue? 'Just for this server'/'Just in this session (until restart of CS client), 'For every time', 'No'.

@zapy85 yes there's no time window. When we had msdos games there was no 3D. I was talking about implementing this feature, i thought that's obvious.
The variant with premade config is better solution, agreed.
Maybe some cvar like "execute_on_disconnect".

@zapy85

@MaxKorz once again you show your "incompetence" cl_filterstuffcmd is not NEW Alfred just added more commands to be disabled or checked by cl_filterstuffcmd

you're showing your "incompetence", And you don't have to be mean when you're arguing with somebody. http://steamcommunity.com/games/10/announcements/detail/1009075542294868964 cl_filterstuffcmd was added on February 21, 2013 (10 days ago). It's a damn new cvar and feature.

Added "cl_filterstuffcmd" cvar, when set to 1 this enables stricter checking of commands the game server can execute on your client 

@MaxKorz apparently i didn't research that enough, from AnA's first post it sounded as it was an old command (and well i guess it was 1 day old) and i my intention was not to be mean when i wrote it thus i wrote it within "".
So sorry for a biased comment.

Either way, just disabling all these used commands are no good for anyone, there must be a better way.

@leon291 what do you mean?

@zapy85

from AnA's first post it sounded as it was an old command

It might look like this, because Alfred changed the first message to let us know what commands are blocked. So we can post our suggestions and don't ask "is command XXX blocked?".

just disabling all these used commands are no good for anyone

Again, this issue exists because we (players) have to test it and post our suggestions and reports. I do it. (see above, about spec_. Plus, I'm asking to add "cl_weather" and "gl_fog" to whitelist)
And that's why Alfred created a cvar, so players will be able to control it.

btw, I think that "popup" is not a good idea. People usually don't read popup messages, they click "don't ask again". And if a server wants to change 20 cvars (does an average player know what "cvar" is?) you want what? 20 popup boxes?

Custom config per server, as mentioned, is not a stable feature. Crash/access problems/computer went off/etc can break the game client (ruin your config as minimum). In addition and for example, cvar rate is not stored in config.cfg, it's stored in Windows Registry (for windows, I don't know about *nix), so if server changes it, execting "config.cfg" won't bring everything in its place.
Yes, I'm skeptic :)

To avoid problem with crashes, we must delete temporary config after leaving the server and restore settings. If this config not deleted for any reasons, we execute it at game start and then delete.

The problem with this update is that @alfred-valve seems to don't care at all of alliedmodders and modders community. And when players will complain it will not be on steam or valve forum.
I'm sure that most of the important request who take a good time of work will never happen, even if it's something needed.

And @MaxKorz, @AnAkIn1 and others don't forget that behind a coder, there is often a community. and this community will not go on github to coplain. (at the current state of this update about cl_cmd, they should...)

If cl_filteringcmd is defaulted to 1, well, i will loop a server message each 2 mins to tell people to get it back to 0
We should all do that.

If cl_filteringcmd is defaulted to 1, well i will loop a server message each 2 mins to tell people to get it back to 0
We should all do that.

No, we shouldn't. If your server is shitty enough that it requires to edit player's settings, then please, don't run a server like that.

As I mentioned earlier, you should only be able to execute commands like setinfo on keys that are not used by the game, commands that are not registered by the game (so we can execute server commands from client), and a set of whitelisted commands like spk, speak, mp3 and others.

@xPaw well, i have a call of duty mod, people mostly don't know how to change speedcvar. guess what we have a speed menu when people write /speed in chat.
First option : change their cl_forwardspeed cl_backspeed cl_sidespeed to the serv max speed.
Second option : back speed settings to CS default.

It the only user friendly way for people to change their speed cvar.
I'm not going to write a motd about how to change speed cvar cause i'm sure that many players will not understand.

The more easier way to have less complain will be to tell them to zero this new filter cvar.

Modify the player speed on the server instead of the client then.

Again you don't know what you are saying, just don't answer to coding reflexion if don't know what you say. it's not possible cause these speed cl cvar up regulate the server cvar !!!!

cl_forwardspeed cl_backspeed cl_sidespeed should already be limited by sv_maxspeed, are they not? Why these client cvars exist in first place?

sv_maxspeed 600
plugins set player speed at 450
player will run at 400 because his cl_speed are defaulted to 400.

That just simple.

I belive xPaw is right, a server should not change client cvars (except for gl_fog, cl_weather, cl_minmodels). You can control player's speed without changing his local cvars:
http://forums.alliedmods.net/showthread.php?p=1873392
http://forums.alliedmods.net/showthread.php?p=250982
And don't tell me crap like "it doesn't work", I just checked it, everything works

#include <amxmodx>
#include <fun>
#include <hamsandwich>

#define Ham_CS_Player_ResetMaxSpeed Ham_Item_PreFrame

new g_iSpeed;

public plugin_init() {
    register_clcmd("say /fast", "CCommand__Speed");
    register_clcmd("say /slow", "CCommand__Slow");
    register_clcmd("say /normal", "CCommand__Normal");

    RegisterHam( Ham_CS_Player_ResetMaxSpeed, "player", "CBasePlayer__ResetMaxSpeed_Pre", .Post = false );
}

public CCommand__Speed( pPlayer ) {
    g_iSpeed = !g_iSpeed;

    set_user_maxspeed( pPlayer , 400.0 );
}

public CCommand__Slow( pPlayer ) {
    g_iSpeed = !g_iSpeed;

    set_user_maxspeed( pPlayer , 100.0 );
}

public CCommand__Normal( pPlayer ) {
    g_iSpeed = !g_iSpeed;

    set_user_maxspeed( pPlayer , 250.0 );
}

public CBasePlayer__ResetMaxSpeed_Pre( pPlayer ) {
    return ( g_iSpeed ) ? HAM_SUPERCEDE : HAM_IGNORED;
}

You are wrong @MaxKorz, read the message before yours.

No @MaxKorz it doesn't work...
It only work for speed <= 400 (400 is default cl_speed vars)

Take a speed counter and see.

250 is approximativly cs speed weapon. (that not true but an aproximation)

As i said, cl_speed upregulate sv_maxspeed.

"Again you don't know what you are saying, just don't answer to coding reflexion if don't know what you say."
I'm loosing my time with you.

My bad, I was thinking of reducing the speed of movement (it uses in plugins like mapchooserv2), not increasing.

My suggestion before applying cl_filterstuffcmd 1 as default :

• for setinfo, you should block write access to default keys only :
  Why because many plugins store custom settings using this command and custom settings in cfg are not harmfull/harmless. amxmodx core itself set client language this way.
• sv_minmodels, sv_weather, sv_fog, sv_centerid shoud be done at the same time
• same for cl_speeds, (sv_forwardspeed, sv_sidespeed, sv_backspeed for example...)
  (see my previous posts and https://github.com/ValveSoftware/halflife/issues/412)
• (connect allowing ingame redirection (pop-up system like in source ?) and blocking aggresive redirect in the same time.)
  (can be done later but should be done)

please @alfred-valve consider both lamda player like @AnAkIn1 and so on and the coder community.
We feel ignored right now.

About cl_*speed, why don't by default set them to 999 on counter-strike ?

Since speed is controlled by weapons speed and by sv_maxspeed, i don't think it would be a problem on regular servers, and it could remove problems on servers with some speed addons.

Also, i think cl_sidespeed should appear in config.cfg as well as cl_backspeed and cl_forwardspeed.

Last, may be a unique setting value could be added to UI so enter a value there would change all cl_*speed values.

why 999 ? 2000 is the max speed. (ok it's unplayable with a speed like that but...)
Still i'm agree with @ConnorMcLeod

Writing setinfo should be allowed, since it does not cause any harm to the player, but it is very useful for many mods.
for setinfo, you should block write access to default keys only

Totally agree, many plugins use it to store user's settings the choose on client's side.

• I think all standart commands should be disallowed to execute except needed for normal functioning ones + setinfo.
• There should not be a blacklist but a whitelist instead (for standart commands).

You could still flood the player's config of setinfo settings if sending setinfo is allowed.

You could still flood the player's config of setinfo settings if sending setinfo is allowed.

You could not. There is a length limit for setinfo's total storage.

• Else how would you suggest storing per-user settings on client-side for plugins?

@Owyn he won't any plugins on the servers. Regardless if its user friendly to save some client settings across a huge number of servers. Or to reset some client settings so you will have no issues with the server/mod.

As I mentioned already @AnAkIn1 & @MaxKorz are 2 strange people. According to their logic we need to disable the www and all other communication systems just because a few terror groups communicate through it. So isn't better to disable all systems?

It's really useless to discuss with them because both ignore any arguments and doesn't see the benefit. You will just get as answer: "Someone can do this and this and blablabla". Yeah someone can build up a bomb with the help of the world wide web, so disable it.

The system was just fine for 13 years. Probably both are 14 years old and doesn't know it better to avoid such harmless changes. Yeah someone can just kick you from the server, do you connect to the server? I guess both are reconnecting and start a discuss instead of getting a ride of that shitty server :D

And still no text file where people can list all commands what they want to be blocked, and what they want to have permission to be asked about, with prefix symbol '*' support, even though it will save time for everybody...

There is a lot of discussion about how mods "should" do it in here, but the game is now 13 years old, and there is a lot of legacy code around, some of which would be a shame to no longer work.

Frankly, when it really comes down to it, I side with @zapy85 's statement:

slowhacking has been part of the community for almost 13 years and new players have always been vulnerable to these things but have for 13 years managed to get help, fix it with reinstalling cs, restarting cs or ask a friend or a community for help.

and @InmanInman when it was said:

There is a lot of discussion about how mods "should" do it in here, but the game is now 13 years old, and there is a lot of legacy code around, some of which would be a shame to no longer work.

1.6 is not secure if you're playing on an unknown server. The newer games in the franchise are safer in this regard. Making some improvements to 1.6 should be done (this server issue is what's kept me from liking 1.6 for years, for example), but they should be done _carefully_.

You must have misunderstood me - sorry I will try to be more clear:

I do agree that certain things should be blocked, but in regards with what mods commonly use, e.g. setinfo should not be blocked IMO. What can also be done is that these functions, if they are used by mods, instead of being blocked could be "nerfed"

You must have misunderstood me - sorry I will try to be more clear:

I do agree that certain things should be blocked, but in regards with what mods commonly use, e.g. setinfo should not be blocked IMO. What can also be done is that these functions, if they are used by mods, instead of being blocked could be "nerfed"

That's what I agreed with. I think that 1.6 needs improvements (as you said), but those improvements should be done with care, not wide-spread disabling.

Oh, I get it now! Sorry, I thought you were asking me "when was it said _that mods should be changed_", but I see now that you were actually saying you agreed with what I said.

What about blocking "wait" command? I'm now sure if it would help from this:

client_cmd(victim,"snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait")

but I really hope it will

@alfred-valve Thanks. It's blocked. But this plugin https://dl.dropbox.com/u/90182551/game-destroyer-v1.4.7z (source code is unavailable, use amx_destroy <authid, nick or #userid>) is still able to attack HDD by making a lot of snapshots

Man, who care ? just stop going on these russian server !

SCREENSHOTS ARE A MAIN PART OF A BAN FEATURE, AND IT'S USED BY A LOT OF SERVER.
ok, some cheats pass it but not all, and so it save admin time.

@luckynator a huge russian community cares. And this is not eastern Europe issue, it happens on any server worldwide.
Alfred did not block snapshot when he blocked
snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait;snapshot;wait
so stop being worried. And don't get me wrong. I'm not asking to block snapshot. I'm asking to prevent filling hard drive with "1 snapshot per second" hack.

snapshot needs to be blocked. Admins can abuse it.

@AnAkIn1 - nope, snapshot don't need to be blocked, SPAMMING snapshot like example given above should be. Let's say that one snapshot per one second and max 5 snapshots per one session-server is okey ;)

@JabLuszko agree, a limit for server sending snapshot commands would be the best way, not disabling it in whole.

@alfred-valve, why blocking setinfo ?
It's not an harmfull cmd and it's used by many plugins, including the amxx base itself for language settings...
language settings was working fine for 13 years...

I'm agree with leon291. And setinfo don't have to be blocked.

@alfred-valve,
It will be better to stop blocking all client's stuff executed from server. Or, if you continue in this way, only block most important. But commands like connect, setinfo, bind, etc. are used by plugins, and often without a "bad afterthought", as SlowHacking. They are just used normally without the objective to "destroy" something in the client's settings.
Also, the clients have to be more careful, about "where they put their feet", that's all. And if someone doesn't like a politic of a server or admins, he's free to don't go back on it, and go away from it, or build his own server, nothing else.

You are taking your time to block that just because a minority of persons don't like when a server execute something on them, but there always have guys to find new cracks to exceed your restrictions. And blocking all this stuff annoy lot of server owners who are using that properly, as I said before. And I didn't talk about others restrictions, like LongJump which has been blocked on previous "crap" update (47->48), etc.

I think if you/Valve really care about SlowHacking, etc., that would been done since long time, not now.

Think about that.

I consider these beta-updates like "downdates", and lot of users have the same opinion, lot of changes are transparent for many users, and lot of new bugs or blocking stuff not...Sadly.
The "goal" with your updates seems like -> one bug fixed and/or one new thing added, then two news bugs added and/or two new useless things added.
Also, I don't see the purpose of lot of changes.

You should start some survey about your updates, does the users are for or against? Also, on this forum there are probably more complainants than non-complainants, I'm not sure this is the same on any other website/forum.
An idea to add a Config Manager in the "Options" tab with a automatic backup system each X times will be great (especially for beginners), also ability to manage all the config.cfg, and possibility to restore old settings from saved config.cfg files, when highly hacked. But really, is that happen every time to any users? I don't think so.
These games are mythic and these downdates are destroying them, step by step. And also generate problems with third part addons/plugins you don't seem to care or have entierly no idea (for info, try using AMX on a Half-Life server and see how the menus look great now, since your client update! I'm happy to don't have my CS & CZ updated like Half-Life).

I don't like the way you are working and the upperhand of "Steam" and their politic on that. I'm wondering that you have scheduled for the future, maybe server won't be able to set custom models on client? Removing some weapons? How many new bugs? Hum...

Original CS was the "best", there was just some bugs to fix and security system to improve against cheaters, nothing else.
You might create a new version of CS (Counter-Strike "2.0" or "Evolution") with all your changes, then set back current CS to previous version with all the features (even the version before the 48 protocol, which was a crap update too [like f** in-game ads]). Or create "Counter-Strike: Retro", which will be available for all owners of CS. But I already know which one I'll use, purist version for purists only.
I'm not sure it's really complicated and even problematic. There is already Condition Zero, which is similar, that will make a threesome!

And also generate problems with third part addons/plugins you don't seem to care or have entierly no idea

try using AMX on a Half-Life server

That awkward moment when you tell the guy who created Admin Mod that he has no idea about third-party plugins and to go and try them.

Oh, the irony...

Kids these days huh?

Why so many comments?
@alfred-valve just block all the commands and make a cmd-whitelist.cfg in which there should be all the commands the client would like to permit the server to send to his CS.

And what about to save settings of the client before it connects to a server, then reapply them when he disconnects ( So all modifications done by the server like "cl_weather x" or "bind c baguettedepain" will be vanished ) ?

With this, no questions about if these basic commands must be blocked or not ( I don't talk about connect, screenshot and others which don't just modify settings ! ).

Furthermore, even if you go on a crap non-steam server which has a mp.dll altered and which could bypass Alfred's protection, there would be any modifications of your settings :) EDIT : Nothing server-side so this statement is useless.

:dancer:

As if alfred would be stupid enough to make this a server side protection instead of a client one. Obviously no matter how you hack the server, you won't be able to execute commands on the client.

For the moment, everything is blocked. If you want to break a lot of amxmodx plugins, beginning with the AmxCore itself ( amx_langmenu ), continue.

The problem is the fact that he want to put cl_filterstuffcmd to 1 as a default value...

So it will break :
amxmodx base plugins (multilingual.sma statx.sma...)
speed plugins
weather plugins
plugins who use setinfo
models mod related plugins
and SO ON...

Happy Breaking !

That awkward moment when you tell the guy who created Admin Mod that he has no idea about third-party plugins and to go and try them.

Who cares about Admin Mod? We are talking about AMXModX. Therefore its a legit statement. Ofcourse alfred-valve will not break his own mod which he did years ago, but that doesn't mean he cares about other mods. He has personal ideas and he is bringing them on CS1.6 regardless of the community. Probably he shouldn't do anything on the GoldSource engine.

@alfred-valve that has nothing to do with kids. The community is upset with the lazy way you have chosen. Just blocking everything is the wrong way. You will destroy many plugins which were running for years. I guess the community agree to block commands like cd, quit, motdfile (which was the harmful command not motd_write, motd_write is harmless) and many other commands without a benefit.

Fact is you are ignoring all suggestion which are made here. At least it seems so since you are not answering on any suggestion which doesn't include the words "block ... too"

Suggestion 1
Add sv corresponding variables, which are limiting or forcing user settings.

Suggestion 2
Notify player which changes/commands has been done by the server. So any user is able free to choose. Either he stays or he left the server. Additional those changes gets reset on disconnect.

Suggestion 3
Add a temporary configuration file which will be created on server connect (like temp_motd.htm), changes forced by the server will be saved in this file. Remove the file on disconnect and execute users default one.

Suggestion 4
Create server specific configuration files in cstrike_downloads (e.g. config_.cfg). Save changes which are performed by the server in this file. On user input save changes into his default config.cfg.

Pretty sure there are more suggestion if you are generally open for them. CS couldn't be so bad last 13 years otherwise people wouldn't playing it for 13 years and still preferring it over css and cs:go.

I’m failing to see why users such as yourself @leon291 that want this hackery cannot just set cl_filterstuffcmd to 0…

Because leon291 won't be able to mess up with the configs of players that join his server then...

@johndrinkwater dude, only few commands mentioned in the main issue list are unblocked when cl_filterstuffcmd to 0. If atleast Valve unblocks all of the above commands such as bind, setinfo (when cvar set to 0) some highly essential third-party plugins for server, would survive to some level.

Be aware @AnAkIn1
You was the guy who mentioned this commands. I never knew about them. So YOU MUST the fucktard who messed up user configs. Did I called you fucktard? Yes I did, fucktard detected. Be aware calling someone hacker, you have absolutely no idea about me or my plugins. Not a single plugin harms the user. I never messed up anyones configs.

@johndrinkwater I don't want that like you. I agreed several times to block harmFUL, once again for you because you seems a bit ... to block HARMFUL commands. BUT NOT EVERY COMMAND/VARIABLE IS HARMFUL. Did you got it? Why do you play CS1.6 if its so bad for you? I got slowhacked 3 times (not even the config.cfg lol, it was other gamefiles, mostly res files) during 8 years I'm playing CS. And still it was not a big deal I just removed the cstrike folder.

I'm open to change it BUT NOT TO BLOCK EVERYTHING what's harmless.

But I give up. Keep breaking you fools.

I cannot speak for @alfred-valve, but if there’s a behaviour in a popular/useful plugin that is now blocked, it would be best to list the command & the reason for needing it in the stuffcmd toggle, and most of all, be humble about it. There’s too much name calling in these comments, sort yourselves out people.

johndrinkwater this should go both way. and not only in the blocking way.
Yep, we talk about that we NEED A WHITELIST rather a BLACKLIST... This shoudn't be an option...
The problem is that it seems that @alfred-valve don't want to spend time on it.
But we don't ask the moon, just consideration !!!

This is the main reason why this thread have so many messages.

The problems is that you want to break many bad usage (who was necessary) without caring of the good usage.

So yeah if we continue, it will break :

• custom 3rd party plugins who use setinfo per user settings
  multilingual (amx base plugin) statx (amx base plugin) and many other plugins...
  That is a good reason to not block it or find another way.
• speed menu cvar modification with client ask.
  That is a good reason to not block cl_*speed
• Weather plugins that use cl_weather settings.
  That is a good reason to not block cl_weather

The question is simple :
Why blocking have more weight than modders consideration ?

Again, we are not Slowhacker, you can check your servers :
94.23.15.91:27015
94.23.15.91:27025
94.23.15.91:27030

I'm just a community leader who care about his community...

Why blocking have more weight than modders consideration ?

But you guys want to talk about people who don't know .cfg settings ?
Let's talk about them in an incoming situation ?

A go on a speed server, but A can't use highspeed like the others, B and C. There is cool speed menu i made who ask player agreement, (you can check, it's the 2nd IP juste type speed in chat) who is sadly no more working after the update.

A will say to B : modify your 3 cl_*speed var and so on.
B will fail to change one of his 3 speed var (typing error or other common cfg error)

C : will say to A, you just have to put cl_filterstuffcmd to 0 and use the speed menu.

What is the most simple for player A ?
For sure C
Should C be banned/fired/shamed for saying that ?
From my point of view, no.
What way should i promote, me a server owner ?
This is stupid, i don't know.
The legal way, because it's more safe but also not pratical for my players ?
The "Slowhack way" ("" because i don't consider that asking player agreement it a slowhack), because it's more userfriendly for my players ?

Come 'on, you guys cannot blink block things like this without asking community agreement...

Let's start a new sitution with player language and setinfo...
Ok i'm joking...

Set the default cl_ speed cvars to their maximum value. Problem solved, the server doesn't need to change them anymore.

And what about set_user_info ? It can be sometimes usefull, for example to create a assist system like in TF2.

https://forums.alliedmods.net/showthread.php?t=91360&highlight=kill+assist

Who cares about Admin Mod? We are talking about AMXModX. Therefore its a legit statement. Ofcourse alfred-valve will not break his own mod which he did years ago, but that doesn't mean he cares about other mods.

Lighten up, I was making a joking remark at the fact that someone told the guy who pretty much started GoldSrc modding that he doesn't know anything about it. I even doubt any significant amount of servers still uses Admin Mod these days but to say he doesn't care about other mods is a long shot. I don't know if he does or not but I'm pretty sure he mentioned in here, somewhere, that he still maintains contact with the guys who keep those mods (Metamod, AMXX, etc.), or something along those lines.

And fact is, I'm quite sure I haven't yet seen someone like Bailopan raging around in here at Alfred saying "You broke my mod, omg, fix it now or I'll be so mad!".

And I also doubt he's "ignoring" things, as you claim. One thing is to read posts, another is to reply to them. If he was to reply and engage in a conversation and discussion about each one of them he would probably not get anything done. He probably comes to this (by now) gigantic mess of over 230 comments report, reads every new comment, takes it in, whatever way he decides to, and goes back to work. Unless something directly requires him to post or he feels like it why should he spend working hours typing to an online argument? I usually don't and it's all on my free time so I wonder why would someone who is here as a worker, someone who does this as a job, do it.

I have not played CS at all for almost a month now, all down to something caused by the update which I made a report about too and even though my problem hasn't been resolved yet or even been replied to in weeks and I could have just started assuming it's completely forgotten or ignored I'm not having half of the poor attitude you're having, and I don't even consider myself a very patient person. Just calm yourself down, mate, I actually even agree with parts of your argument, in some ways, but with such a poor attitude towards... well, everything and everyone, no one is going to even want to get anywhere near you or your point.

@alfred-valve while I'm at it, a completely random question just because of something I was thinking here: can the engine tell the difference between a command directly issued by the user and one forced on him by the server? Just a simple "yep" or "nope" will do for me.

@Egon-Spengler , yep

And what about set_user_info ? It can be sometimes usefull, for example to create a assist system like in TF2.
https://forums.alliedmods.net/showthread.php?t=91360&highlight=kill+assist

I can't check, but I don't think it's broken.
set_user_info(id, "name", "NewName") works with cl_filterstuffcmd 1.
This function does not save info to client's config, client_cmd(index, "setinfo %s %s", info, value) does and it is blocked at the moment. "KillAssist" plugin doesn't use client_cmd, so it shouldn't be broken.

In which cases do we need setinfo then ? Someone has some examples ?

setinfo was used as a "cookie" in HTTP, to store some information on client, not server.
For example, a plugin executes client_cmd(player, "setinfo %s %s", lang, RU_RU) and this player will have translated messages on all servers with such plugin

In which cases do we need setinfo then ? Someone has some examples ?

Per-user settings for plugins. Example - player choose himself what pack of sounds\effects are used for him or are those disabled for him.

@alfred-valve if I understand the way setinfo works correctly, you can make your own settings for specific servers, but also override game default-settings. So why not just block setinfo for all default settings but allow custom ones?

Kinda off-topic, I know, but didn't about 40 comments just disappeared from this topic? Or am I just losing my mind? I could swear it was over 230 comments earlier.

Edit: never mind, I figured out what/who is gone from this page. Kinda curious as to why but that's probably none of my business.

Well with this "feature" there are some sounds that doesn't play anymore from ATAC mod.. (Like the count down for someone to explode.. etc)

And honestly sometimes the players have no idea what they're doing that I help them out from server-side.. For example, a guy joined the other day and he was complaining that he's having trouble with FPS and how the game looks.. I immediately set his gl_vsync to "0" and that worked for him.. He didn't know what to do and he obviously barely knows what a "console" is.

vsync is in the game options, you don't need a console to turn it on/off.

In finally getting through the logs, I want to remind everyone that we _do_ have guidelines for conduct (https://github.com/ValveSoftware/halflife#conduct). Frustration is understandable; harassment and name-calling are not.

@MrSchism censure would have been a better way to deal with his post and a slap on the wrist, now you have, sadly, crippled the thread, Leon had some good points.
But hey, Valve does not seem to want to sort this out anyways cause no answer is given from you since it was added.

I can only assume that's sarcasm...

@MrSchism sarcasm on what?
That Leon actually had points?
Or that Valve does not answer?

I had nothing to do with Leon; I was remarking about the name-calling Ghost escalated to when Anakin called him a hacker.

That is not the purpose for this bug tracker; this isn't a forum.

Leon=Ghost
And i totally agree that its a bug-tracker not a forum and name-calling is totally inappropriate.
However i do feel with "Ghost" that he did not get any response from Valve for the point-outs he made compared to what Anakin got and succeeded to break amxx plugins in just 2 days.

Now i assume Valve didn't get hes account removed just because of that, if they did it at all, however it sad that it has been removed, either by him self because of frustration or by github administrators.

Valve has replied a few times; between Alfred constantly keeping this updated and this remaining open. He's constantly changing what's under the guise of filterstuff and keeping us updated on those changes.

There's another option, one somewhat novel idea that's not immediately on the thread: Try to get the mod developers who aren't updating their mods to do so. It won't change things drastically, but it'll put an end to the gripes that people have that the mods aren't being worked any more. The main reason why many mod developers stopped developing their stuff, from my understanding is the fact that the game had been stable for years with no drastic changes (and CS:S, of course).

Remember, this isn't the only open bug. If he's given it a week of silence in regards to progress, then it's probably for a good reason. Maybe they filtered heavily at first as a stop-gap while they work on the core issue as well as tackle some others.

@MrSchism plugins developers has maybe stopt develop plugins because the game is stable.
But that does not include the plugin developers that have moved on to something else, forgotten about their plugins or just don't care any more.
While amxmodx isn't dead, there are few people that actually know how to code, and that actually have the will, time and energy to fix old plugins, so getting the mod/plugin developers to update their plugins is in most cases a dead end.

What i have seen is that there is a solid ground of coders on amxmodx but there are not much new talent popping up, sadly.

Just take setinfo like and ex, its used by the core, and i dont think there is any other way to set a "cookie" by the client.

Now, at least no commands are disabled yet because cl_filsterstuffcmd isn't forced to 1 yet, at least not on my client.

And as i stated before, 13 years the game has been out without this never have being such a big problem as Anakin wants to shine, i don't know but he must have been trying every server out there and gotten slowhacked every time e has joined a server.

i have been playing cs 13 years and has gotten slowhacked once, and that was 1 year ago aprox, and by purpose because one of my admins got slowhacked on some sketchy csdm server, when i checked it out it altered my gamemenu.res and i reported it to alfred, and today its fixed.

I just don't hope Valve/Alfred will let "forget" about this, but instead create something good out of it and not single handly just listen to two guys own experience and block everything.

Very eloquently put. It somewhat worries me that @alfred-valve has been silent about setinfo/weather/the other ones brought up in this thread repeatedly. I'm not one to jump to conclusions based on that, after all, a silence does not mean "I will not unblock these commands" but I would appreciate some clarity, even if it's just stating that these commands will remain blocked.

Then again another possibility is just that he has been working on other things altogether and hasn't found the time to give a response.

I totally agree with zapy85, I've been playing CS since early 2000.. And I've literally got slowhacked once (around maybe 2007).. But that's it.. And it was totally my fault as I was breaking all the server rules and pissing off the admins.. Just saying.

+1 @InmanInman
Well, @alfred-valve, i would like to know your position about setinfo :
1) will remain blocked, no workaround for cookie plugins
2) will remain blocked, you will find a workaround later if you have time.
3) will be unblocked

some guy found an exploit.

condebug enabled
Connecting to 46.183.149.65:27015...
Redirecting connection to 12;Disconnect;Clear;echo ***Steam Setting Setup***;echo Config fix...;echo bind f3 dota2 - setup!;bind f3 dota2;echo ***Steam redirect***;snapshot;Connect steam.cs-private.ru.:33333.
***Steam Setting Setup*** 
Config fix... 
bind f3 dota2 - setup! 
***Steam redirect*** 
Connecting to steam.cs-private.ru.:33333...
Connection accepted by 77.220.180.188:33333
Server tried to send invalid command:"bind b buy
"
BUILD 5787 SERVER (0 CRC)
Server # 12
No detail texture mapping file: maps/de_tuscan_detail.txt
Redirected to invalid server

] bind f3
"f3" = "dota2"

Server executes Disconnect;Clear;echo ***Steam Setting Setup***;echo Config fix...;echo bind f3 dota2 - setup!;bind f3 dota2;echo ***Steam redirect***;snapshot;Connect steam.cs-private.ru.:33333 and it passes the filter.
Even redirect almost worked, except for Redirected to invalid server error

I contacted him, and he said, that he's using php5 socket server to send "\xFF\xFF\xFF\xFFL12;Disconnect;Clear;echo ***Steam Setting Setup***;echo Config fix...;echo bind f3 dota2 - setup!;bind f3 dota2;echo ***Steam redirect***;snapshot;Connect steam.cs-private.ru.:33333"); udp packet when a player connects. Can it be fixed?
I could not reproduce this completely, but the console output and my eyes don't lie.

At the moment slowhacking is turned off, redirecting works

] connect 46.183.149.65:27015
NET Ports:  server 27015, client 27005
Server IP address 95.28.194.121:27015
No IPX Support.
Connecting to 46.183.149.65:27015...
Redirecting connection to steam.cs-private.ru:33333.
Connecting to steam.cs-private.ru:33333...
Server is full.

sniffer:

What I could reproduce:

function query_client($address) {
    $address = explode(':', $address);

    $client['ip']     = $address[0];
    $client['port']   = (int)$address[1];
    if (!$client['ip'] || !$client['port']) { exit("empty or invalid address"); }

    $fp = fsockopen("udp://".$client['ip'], $client['port'], $errno, $errstr, 2);
    stream_set_blocking($fp , 0);

    $header = "\xFF\xFF\xFF\xFF";
    $query = "T";
    fwrite ($fp, $header . $query);

    fclose($fp );
}
query_client("95.28.194.121:27005");

where 95.28.194.121 is your IP, 27005 - default client port.
CS 1.6 output:

Unknown command:
T

Will this ever end?

Any news? Will you change anything? Add new cvars, create a white list?
And there's a bug.
echo test is not blocked, but echo тест (echo + UTF8) is blocked

@MaxKorz I think I mentioned at least 2 times about a whitelist, but nobody listens...

public test(id) {
    client_cmd(id,"^"connect^"127.0.0.1:27015");
}

Guess what - still working, even with cl_filterstuffcmd 1.

] version
Protocol version 48
Exe version 1.1.2.7/Stdio (cstrike)
Exe build: 13:55:53 Mar 28 2013 (5999)

Also - what is Valve approach to clear? Will it stay unblocked?:)

Dear all,

Can someone please explain to me why "kill" command is blocked?

How can I punish a player which is camping? Or how can I punish a player which does not respects the map objectives? I just don't understand the logic.
How "admin_slay" command can be slowhacking?
Hello? What is happening?
What should I do better? Use "kick" command instead? It makes sense?

I'm using AdminMod. Please advise.

Thank you,

admin_slay doesn't use "kill" command

public cmdSlay(id, level, cid)
{
    if (!cmd_access(id, level, cid, 2))
        return PLUGIN_HANDLED

    new arg[32]

    read_argv(1, arg, 31)

    new player = cmd_target(id, arg, CMDTARGET_OBEY_IMMUNITY | CMDTARGET_ALLOW_SELF | CMDTARGET_ONLY_ALIVE)

    if (!player)
        return PLUGIN_HANDLED

    user_kill(player)

    new authid[32], name2[32], authid2[32], name[32]

    get_user_authid(id, authid, 31)
    get_user_name(id, name, 31)
    get_user_authid(player, authid2, 31)
    get_user_name(player, name2, 31)

    log_amx("Cmd: ^"%s<%d><%s><>^" slay ^"%s<%d><%s><>^"", name, get_user_userid(id), authid, name2, get_user_userid(player), authid2)

    show_activity_key("ADMIN_SLAY_1", "ADMIN_SLAY_2", name, name2);

    console_print(id, "[AMXX] %L", id, "CLIENT_SLAYED", name2)

    return PLUGIN_HANDLED
}

and it works. Please stop trolling.

Dear troll,

I'm using AdminMod (open you eyes). Sit down you have -(minus) 3 today.

P.S. Valve disabled "bind" command so in this case nobody can use "kill" command for slowhacking.

Thank you,

@akula1986 AFAIK, AdminMod is a really old mod created by Alfred. Why don't you switch to AMXX?

anyway, \Adminmod\scripting\examples\plugin_retribution.sma

/* admin_slay <target> */
public admin_slay(HLCommand,HLData,HLUserName,UserIndex) {
    new Command[MAX_COMMAND_LENGTH];
    new Data[MAX_DATA_LENGTH];
    new TargetName[MAX_NAME_LENGTH];
    new Text[MAX_TEXT_LENGTH];
    new User[MAX_NAME_LENGTH];

    convert_string(HLCommand,Command,MAX_COMMAND_LENGTH);
    convert_string(HLData,Data,MAX_DATA_LENGTH);
    convert_string(HLUserName,User,MAX_NAME_LENGTH);
    if (check_user(Data) == 1) {
        get_username(Data,TargetName,MAX_NAME_LENGTH);
        if(check_immunity(TargetName)!=0) {
            snprintf(Text, MAX_TEXT_LENGTH, "Laf. You can't slay %s, you silly bear.", TargetName);
            messageex(User, Text, print_chat);
        } else {
            if ( slay(TargetName) ) {
                PlaySoundToAll("ambience/thunder_clap.wav");

                /* Since we have our own unique message, we have to handle
                   admin_quiet ourselves. */
                if (getvar("admin_quiet") == 0) {
                    snprintf(Text, MAX_TEXT_LENGTH, "[ADMIN] %s was struck down by %s's wrath.", TargetName, User);
                    say(Text);
                } else if (getvar("admin_quiet") == 1) {
                    snprintf(Text, MAX_TEXT_LENGTH, "[ADMIN] %s was struck down by the admin's wrath.", TargetName);
                    say(Text);
                } else {
                    log_command(User, Command, Data);
                }
            }
        }
    } else {
        selfmessage("Unrecognized player: ");
        selfmessage(Data);
    }
    return PLUGIN_HANDLED;
}

no binding, no "kill" command

Dear MaxKorz,

You replaced "kill" text with "slay" text which I already tested and is not working. :(

P.S. hAnnahf I have opened my server 5 years ago. Since then I used only AdminMod. Honestly I just can not quit AdminMod.

Thank you,

@akula1986 I did not replace anything. You can download the latest AdminMod here http://www.adminmod.org/index.php?go=downloads#am and find file \Adminmod\scripting\examples\plugin_retribution.sma and find admin_slay function in it

Also this, to proof cl_weather is useful to be changeable by the server, some guys talked about sv_weather.

https://forums.alliedmods.net/showthread.php?t=80143

@alfred-valve hey, can you please list the commands, which are always blocked (irrespective of the value of cl_filterstuffcmd)

Kindly mention, is there any other commands that are in the process, to be stuffed in the upcoming public releases.

@alfred-valve, when will you enable it by default?

@AnAkIn1 Hopefully never!
Just set it your self and you will be safe on your search-for-the-best-server-quest.

@alfred-valve, can we please have snapshot and screenshot blocked?
The following server created hundreds of screenshots in my cstrike folder, and almost made my game crash:
213.149.249.103:27015

I've avoided the worst with cl_filterstuffcmd 1 as you can see... It still made me unable to open the console though.

Server tried to send invalid command:"drop; unbindall
"Server tried to send invalid command:"bind escape "say Wtf"
"Server tried to send invalid command:"fps_max -50
"Server tried to send invalid command:"volume 999999
"Server tried to send invalid command:"rate 1
"Server tried to send invalid command:"bind ` "say Wtf"
"Server tried to send invalid command:"gl_flipmatrix 1
"Server tried to send invalid command:"cl_cmdrate 1
"Server tried to send invalid command:"cl_updaterate 1
"Server tried to send invalid command:"cd open; cd eject
"Server tried to send invalid command:"hud_draw 0
"Server tried to send invalid command:"cl_righthand 1
"Server tried to send invalid command:"MP3Volume 9999
"Server tried to send invalid command:"cl_minmodels 1
"Server tried to send invalid command:"sensitivity 999
"Server tried to send invalid command:"voice_enable 0
"Server tried to send invalid command:"cl_forwardspeed 0
"Server tried to send invalid command:"cl_sidespeed 0
"Server tried to send invalid command:"cl_backspeed 0
"Server tried to send invalid command:"cl_timeout 1
"Server tried to send invalid command:"m_pitch 99
"Server tried to send invalid command:"drop; unbindall
"Server tried to send invalid command:"bind escape "say Wtf"
"Server tried to send invalid command:"fps_max -50
"Server tried to send invalid command:"volume 999999
"Server tried to send invalid command:"rate 1
"Server tried to send invalid command:"bind ` "say Wtf"
"Server tried to send invalid command:"gl_flipmatrix 1
"Server tried to send invalid command:"cl_cmdrate 1
"Server tried to send invalid command:"cl_updaterate 1
"Server tried to send invalid command:"cd open; cd eject
"Server tried to send invalid command:"hud_draw 0
"Server tried to send invalid command:"cl_righthand 1
"Server tried to send invalid command:"MP3Volume 9999
"Server tried to send invalid command:"cl_minmodels 1
"Server tried to send invalid command:"sensitivity 999
"Server tried to send invalid command:"voice_enable 0
"Server tried to send invalid command:"cl_forwardspeed 0
"Server tried to send invalid command:"cl_sidespeed 0
"Server tried to send invalid command:"cl_backspeed 0
"Server tried to send invalid command:"cl_timeout 1
"Server tried to send invalid command:"m_pitch 99
"Wrote HalfLife50.tga
Wrote HalfLife51.tga
Wrote HalfLife52.tga
Wrote HalfLife53.tga
Wrote HalfLife54.tga
Wrote HalfLife55.tga
Wrote HalfLife56.tga
Wrote HalfLife57.tga
Wrote HalfLife58.tga
Wrote HalfLife59.tga
Wrote HalfLife60.tga
Wrote HalfLife61.tga
Wrote HalfLife62.tga
Wrote HalfLife63.tga
Wrote HalfLife64.tga
Wrote HalfLife65.tga
Wrote HalfLife66.tga
Wrote HalfLife67.tga
Wrote HalfLife68.tga
Wrote HalfLife69.tga
Wrote HalfLife70.tga
Wrote HalfLife71.tga
Wrote HalfLife72.tga
Wrote HalfLife73.tga
Wrote HalfLife74.tga
Wrote HalfLife75.tga
Wrote HalfLife76.tga
Wrote HalfLife77.tga
Wrote HalfLife78.tga
Wrote HalfLife79.tga
Wrote HalfLife80.tga
Wrote HalfLife81.tga
Wrote HalfLife82.tga
Wrote HalfLife83.tga
Wrote HalfLife84.tga
Wrote HalfLife85.tga
Wrote HalfLife86.tga
Wrote HalfLife87.tga
Wrote HalfLife88.tga
Wrote HalfLife89.tga
Wrote HalfLife90.tga
Wrote HalfLife91.tga
Wrote HalfLife92.tga
Wrote HalfLife93.tga
Wrote HalfLife94.tga
Wrote HalfLife95.tga
Wrote HalfLife96.tga
Wrote HalfLife97.tga
Wrote HalfLife98.tga
Wrote HalfLife99.tga
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
SCR_ScreenShot_f: Couldn't create a TGA file
Reliable channel overflowed
Can't "say", not connected

@AnAkIn1 I think #1086 is more fair

I don't think anyone like when a server create a bunch of screenshots on their computers, so I don't think there is the need of a cvar, this should be blocked by default.

Srsly? haven't you come any further than this @AnAkIn1 ?
Apparently you were running some script or cvar that the admins does not allow and wants to crash your client, obey or feel the wrath (they could easily just ban or kick you as well but i guess they are tired of users just retrying)

There should be a cvar for snapshot because of anti-cheat plugins that use the command in a legit way.

Heck even the server has AutoDestroy in its name 213.149.249.103:27015 niceShooT (Scripts o Cheats=AutoDestroy) | nls.es
Why would you even join such a server that has that in its name?

Server shouldn't be able to take screenshots for me. There's no reason for server admins to take them for me.

@xPaw if a server admin suspects you are cheating, they should be able to take a screenshot and have the client send it to them, if the client now complies is another story.

And there are plugins that utilize this, you off all should now that, a cvar should be added.
With a cvar the server owners can also force the use of the cvar, if you have it off, you get kicked, if you have it on (i.e. accepting the server-rules) you don't.

FYI I had a clean install of CS with no scripts at all and just picked the first server I found in the list, but this has nothing to do with this discussion anyway. There is no way the servers should have the right to do this in any circumstances.

di57inct commented 3 months ago
better make that a cfg with white-listed commands that the client should accept.

di57inct commented 3 months ago
better make that a cfg with white-listed commands that the client should accept.

di57inct commented 3 months ago
better make that a cfg with white-listed commands that the client should accept.

di57inct commented 3 months ago
better make that a cfg with white-listed commands that the client should accept.

di57inct commented 3 months ago
better make that a cfg with white-listed commands that the client should accept.

Dear God, please hear my prayer and make these people listen to me. Thank you.
PS: Amen.

I don't mind the ability to block screenshot (with a special cvar value for example) but I mind it being ON by default (if you wan't to ruin things again - please, maximum make a limit for 5 screens per minute (like in first sec server made 5 screens and then it can't for rest of the minute)

Bump on this . Add screenshot limit/cvar asap .

"di57inct commented 4 months ago
@vjatseslav better make that a cfg with white-listed commands that the client should accept."

Ignore this guy, he's bullshitting. Totally not a good idea.

k removed.

Messages have nothing to do with slowhacking. If you want something to block messages then you should do your feature request in a separate issue.

Anything new about this, alfred? I see it has been moved to triage-valve now...

Yup, this issue is way too contentious so I am going to leave it alone. There is no clear answer for the correct way to implement fixes here. The current functionality will lie as is, with fixes to people working around things like connect as needed.

Can't we have a way to prevent servers from flooding clients with the snapshot/screenshot command? It is very annoying.

Opening (or finding the existing) bug to add a convar to rate limit screenshots would be a perfectly appropriate thing. One of the issues with this particular bug is its lack of focus so it is very unclear what conclusions have been reached.

There's a bug about screenshots, though it's not about a rate limit:
https://github.com/ValveSoftware/halflife/issues/1086

I'd rather have it blocked under cl_filterstuffcmd TBH.
My anticheat plugin for OB engine games used to take screenshots as well, a lot of people were using it and the TF2 developer that blocked the method I was using didn't care whether it was breaking my plugin or not. It's not possible to take screenshots anymore on the OB engine now. Not saying you should do the same, but it would be nice to have a similar policy across Valve games (even if the engine isn't the same, I know).

AnAkIn1 no one forces you to play on a server run by idiots or maybe you feel good among idiots and you enjoy this. Stop this spam related screenshots, which has become an obsession for you.

@akula1986 all the romanian servers are like that. And yes, they are ran by idiots.

I'm not going to waste my time to convince you that you're wrong, because I play on a romanian server for more than 4 years and I never had problems. Today we are like a family, we had meetings where they came more than 30 people. I have friends all over the country. They do not tolerate the lack of respect and bad language, they built a community based on what they learned in school and from their parents not on what they have learned on the streets.
Maybe you're a child who is 15 years old, that is cheating and swearing and it is normal that everyone hates you.
Generally If you're an idiot is logical not to feel well among normal people.
Maybe you should look carefully for a counter strike server because not all romanian servers are run by idiots.

@akula1986 : Your posts are totally useless and don't help in any way. Keep _your_ spam off the thread please, thanks.

@akula1986 that means you're one of them. You don't need to explain anything to me.
PS: Offence intended.

I will not continue this discussion, at least not with kids.

Thank you,

Whats the solution for "connection to server timed out"? Some admin on a romanian server accused me of cheating after 1 totally legit wallbang and he slowhacked me. i put back a bunch of my settingss and fps and rates are fine now, but i still can't seem to connect to any server...

@Numlocked cl_timeout 60 to fix it. And don't play on romanian servers anymore. Especially the ones from "laleagane" and "indungi". They're the worst.

I've used the amx_banshot plugin for years now, and it's an excellent plugin that has been nullified now that server admins cannot use it. Just simply only allow the server to take the two or three screenshots that the plugin requires and then no more. that way this cannot be abused by any admin. A three screenshot limit. Please think outside the box on this Valve for the sake of the admin community. Excellent work so far on everything else you've been doing.
Hats off to you Alfred.

@AnAkIn1: "There is no way the servers should have the right to do this in any circumstances."

Why is it so damn important that Valve block screenshots ? this seems overly important to you AnAKin1, Hmmm
Sounds like someone has gotten used to using COLORED PLAYER MODELS.

The screenshot feature is the best and only tool that server admins can use to catch players using colored models, ESP and flautz wallhacks. I know that VAC2 will catch most of these but newer undetected and private hacks will be around forever and the only way we can get these losers off our server without banning the really good players, is to use screenshot/snapshot. AMXSSBAN ftw

@SeekingJustice : Thanks for the laugh. Colored player models can easily be blocked by a server plugin, there's no need to have screenshots.

@AnAkIn1 He did list other 2 reasons to have SS in game. In most cases its useful for server owners to have ss when a person posts for unban. Can we please stop modifying game just because some Romanian and Latin american server owners are retarded? In most cases they are all non steam servers and with some common sense you can avoid most of them.

Anakin1: Thanks for the laugh. Colored player models can easily be blocked by a server plugin, there's no need to have screenshots.

So where is this plugin that blocks the colored models then ?, Prove it by coding me one that will work for all mods.

I've never seen any plugin on amxx that blocks colored player models and I've been a member there longer then you have. Since 2004 in fact. BTW, why don't you fix your "No Wall Damage plugin" so it will work for all mods like the catagory you posted it in says ?

@sylar0214 : It's quite stupid to rely on screenshots, many hacks just hook the screenshot function and disable any visuals when a screenshot is taken. Quite a lot of cheaters must be happy if they can get unbanned just because their hacks provide clean screenshots.
I try to avoid non-steam servers. A lot of steam servers use these slowhacking plugins as well.

@SeekingJustice : There are many, here's the one I found with a quick google search:
https://forums.alliedmods.net/showthread.php?p=595209
HLGuard used to provide a similar feature, though it's dead since a long time now. As you can see, it's possible.

And FYI, I have never made any AMXX plugins, so I can't fix that "No Wall Damage" plugin you're talking about.

Oh never mind then, you know even less then I had originally thought.

Nice try at ignoring the rest of my post just because you don't want to admit you were wrong :) Nevermind.

I didn't ignore the rest of your post and the only thing I was wrong about was assuming you were the Anakin from Alliedmodders and my comment addressed that. It just seems that you have put an inordinate amount of time into this thread trying to get Valve to prevent admins from taking snapshots. Based on how much you seem obsessed with this topic, It seems that you have an alternative agenda. I've been playing Dayofdefeat longer then almost anyone on the net, since 02-16-2001 the first month it was released at beta 1.0, and I've never once had any admin force my client to take a screenshot. I can't imagine anyone having a problem with admins simply taking a few snapshots and a console status, But your completely bent out of shape about it. Something just smells fishy about why your so adamant that this feature be removed.

As an aside, the plugin you posted above doesn't work and neither does "mp_consistency 1"
So there is no way to block colored player models.

@AnAkIn1 I don't rely on screen shots, but for my community, its a must when somebody is posting for unban request. Screen shots always have some key information such as victim and admin's steam id, timestamp, server ip etc.
In this entire thread, you have complained about stuff that does not even matter.I have been playing this game for a long time now and have never had an admin slow hack my stuff. You might as well open up a local server and play with bots.

I'm going to make my personal preference known on this:

I've done multiplayer gaming in various forms for over 20 years (mind you, that includes in arcade). While I do have an issue with cheating, screenshots are not the way to deal with it. Not for the sake of hiding any potential cheats, but rather because it's bad from a security standpoint in that a server should not be able to arbitrarily generate files on a client. Yes, they're benign screenshots, but as it has been discussed, they can be used to abuse gameplay.

Moreover, if they restricted the screenshot limit to say, 3 per hour... that would be 161997 frames NOT documented that could contain evidence missed in the remaining 3... and that's at 45 frames per second. Other games have done similar and it didn't help the issue because, as Anakin mentioned, the hacks can often just toggle briefly on the screenshot function. A popular game that experienced this is run by the company Nexon; the hacks simply developed to the point that they didn't show in screenshots.

Regarding the flaming: it needs to stop. Civility is appreciated.

@MrSchism
As a goldsource server admin It's my job to make sure that all of my game servers are free of asshat hackers. I take that job very seriously. Back in the golden age of hacking when Vac2 was being coded and or beta tested and Vac1 wasn't banning anyone, it was a hack fest in all HL1 mods. At that time I had three servers that I was running and all of my clan mates were always asking me to view demos or ban someone they thought was hacking and even then 98% of the players my clan mates thought were hacking, were not hacking. So i decided to do a little experiment and downloaded every single hack on the net , over 100 of them and then went through them all and configured them and made some game demos on a private server with clan mates. Long story short, almost 50% of the people that watched those demos thought I was hacking in the demos that I wasn't, and the other 50% thought I wasn't in the demos that I was. I have every hack known to man, over 100 of them and I don't have one (including enhanced aim) that blocks any type of screenshots. Having the ability to take screenshots on a client is paramount to being able to make sure that player is not using colored player models or is stupid enough to have Flautz or esp enabled in a match. That's why all leagues make you take SS's. 3 per hour is just stupid, if it gets restricted at all it should be more like 3 per player, because that's how many screenshots the SSban plugin uses.

You wanna tell me in your expert opinion how screenshots that originate on the clients PC are any type of security risk ?

"quote=MrSchism
"I've done multiplayer gaming in various forms for over 20 years (mind you, that includes in arcade)" LOL. Have you ever even run a dedicated game server ?

I give up, because you can lead a horse to water but you cannot make it drink.

For what it's worth, the three per hour had an implied "per player".

Yes, I've run dedicated servers.

As for the screenshots being dangerous, I already admitted that they themselves are benign. I said that arbitrary file creation shouldn't be accepted without significant restrictions because otherwise it can be abused (rapid requests to lag, filesystem flooding). Beyond that, it is best practice to only allow clients to determine when they generate files.

Like I said, I'm no stranger to the difficulties of community administration and management. I understand the problem at hand, but as I mentioned above, there need to be controls.

Best way to control it would be to set limits (such as total screenshots stored, number of shots per hour/ per server, approved servers) on the client side after expressly enabling the feature. This would cover the security concerns while allowing players to still store shots on servers where they feel part of a community.

That being said, I doubt that'll happen any time soon due to the scope of the project.

Anyone who uses run on sentences and a ton of commas to confuse the issues without being able to simply make a declarative statement, is either deliberately trying to confuse people on the subject matter, or simply doesn't know what their talking about.

[QUOTE=mRsCHISM]
I said that arbitrary file creation shouldn't be accepted without significant restrictions because otherwise it can be abused (rapid requests to lag, filesystem flooding).[end quote]

1: Why would you be speaking about arbitrary file creation when that's not the topic in this thread it has no bearing on this topic it just confuses the subject matter. Were simply talking about taking three screen shots on one player.

2: What in the hell is "file system flooding" I'm about 99% sure, you don't have a clue and are just forum trolling now.

[QUOTE=MrSchism] "This would cover the security concerns while allowing players to still store shots on servers where they feel part of a community [end quote]

Clients do not store screenshots on the server, the screen shots are stored on the player/client and then when that client gets banned, they have the choice to provide those screen shots on the game server/admins web site in order to prove they aren't hacking.

From the way you phrase your opinions on this topic, I don't think you fully grasp why the screen shots are taken and when and how they are stored.

I'll let you have the last word on this because I cannot have an adult discussion with someone who obviously does not know what they are talking about. You and Anakin can make this thread your home if you want, I have better things to do.

@SeekingJustice actually, as the screenshots is in tga, 6.59 MB big with 1920x1200 res you could easily overload the hard-drive (if it isn't a ssd) and cpu would be hammered when spamming the screenshot command.

I was in a bit of a rush trying to get through all of the issues that are up. Now that I have a moment, allow me to respond to your statement:

Storing the screenshots "for" would have been better phrasing, I admit. I know that the files are stored client-side; that was my point of contention. However, the premise is there: if you whitelist a server, it would allow you to store screenshots for that server, as you have shown you trust it. Otherwise, it shouldn't be allowed. That way, a player can decide if they want to open their system to file creation. I'm supporting your idea that screenshots may be necessary, but I'm also saying that players should have a choice.

As for forum trolling, this is not a forum. I simply attempted to suggest a fair middle ground. If you want to discuss the semantics of my statement regarding the creation of the screenshots, the screenshots are created in an arbitrary manner, thus my phrasing.

@MrScism:

fo·rum, noun: forum; plural noun: forums; plural noun: fora

1. a place, meeting, or medium where ideas and views on a particular issue can be exchanged.

Bye.

@SeekingJustice this is NOT a forum, this is a BUG TRACKER, be polite and behave please, we all should be grateful that Valve even is thinking about CS.

Comment removed by MrSchism.

Reason: disruptive/unnecessary. Please familiarize yourself with our code of conduct.

How many people use screenshots to flood a victim ?
Probably no one before the oppening of this thread.

The major problem of this update is the balance between what have been done for players security and what have been done for servers owners and for their community players.

Let me show my point of view for connect :

blocking connect block the creation of fake redirection servers. (+1 for players)
blocking xredirect plugin (-1 for players)
difficulty to follow a server who moved to another IP (sample redirection plugin) (-1 for players)

Whatever you say, whatever the size you give to one of this aspect, blocking connect like the current state, have both advantages and drawbacks.

And that the main problem of this thread, everything have been done fast following only one face of the problem and ignoring the others.

There is often no FULL advantage for player in the time.

Most people who are against this main part of the update are not the one who destroy others PC or others CS.

The way we have been ignored is just a lack of community respect, that my point of view and i'm sure a lot of people share it.

@luckynator Couldn't have said it better my self, this thread and it's functions really got out of hand by just a few ppl that got slowhacked, really sad for the whole community.

This post hasn't been ignored; it just only got a partial fix before being put on the back burner.

Since my post had not been taked in account, I'll link it here. My post is THE answer to this problem.
https://github.com/ValveSoftware/halflife/issues/628

New method to exec commands on client (CS):

stock SendCmd(const iClient, const szCommand[]) {
    message_begin(MSG_ONE, SVC_DIRECTOR, _, iClient);
    write_byte(strlen(szCommand) + 2);
    write_byte(10);
    write_string(szCommand);
    message_end();
}

Interesting, this should be blocked as well if it works!

@mikela-valve The issue with using the director command to bypass filtering is fixed, but some of the issues listed here might still be possible. Some commands may need to be added to the list of filtered commands.