From cf9f25eb0b9f6fa3bc6b1ffe2f4c0d3d775538b0 Mon Sep 17 00:00:00 2001
From: Oliver Brakmann <ob-web2013+github@posteo.net>
Date: Sun, 21 Feb 2016 16:31:45 +0100
Subject: [PATCH] Fix LobbyCommands not validating user-modifiable input

Validates all input that could have been changed with custom yaml rules.
---
 .../ServerTraits/LobbyCommands.cs             | 49 ++++++++++++++++---
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/OpenRA.Mods.Common/ServerTraits/LobbyCommands.cs b/OpenRA.Mods.Common/ServerTraits/LobbyCommands.cs
index 29e1ea7080..4e0d97c7e9 100644
--- a/OpenRA.Mods.Common/ServerTraits/LobbyCommands.cs
+++ b/OpenRA.Mods.Common/ServerTraits/LobbyCommands.cs
@@ -16,6 +16,7 @@ using OpenRA.Graphics;
 using OpenRA.Mods.Common.Traits;
 using OpenRA.Network;
 using OpenRA.Server;
+using OpenRA.Traits;
 using S = OpenRA.Server.Server;
 
 namespace OpenRA.Mods.Common.Server
@@ -585,8 +586,8 @@ namespace OpenRA.Mods.Common.Server
 
 						if (s != null && !server.Map.Options.Difficulties.Contains(s))
 						{
-							server.SendOrderTo(conn, "Message", "Unsupported difficulty selected: {0}".F(s));
-							server.SendOrderTo(conn, "Message", "Supported difficulties: {0}".F(server.Map.Options.Difficulties.JoinWith(",")));
+							server.SendOrderTo(conn, "Message", "Invalid difficulty selected: {0}".F(s));
+							server.SendOrderTo(conn, "Message", "Supported values: {0}".F(server.Map.Options.Difficulties.JoinWith(", ")));
 							return true;
 						}
 
@@ -613,12 +614,17 @@ namespace OpenRA.Mods.Common.Server
 						}
 
 						var startUnitsInfo = server.Map.Rules.Actors["world"].TraitInfos<MPStartUnitsInfo>();
-						var selectedClass = startUnitsInfo.Where(u => u.Class == s).Select(u => u.ClassName).FirstOrDefault();
-						var className = selectedClass != null ? selectedClass : s;
+						var selectedClass = startUnitsInfo.Where(u => u.Class == s).FirstOrDefault();
+						if (selectedClass == null)
+						{
+							server.SendOrderTo(conn, "Message", "Invalid starting units option selected: {0}".F(s));
+							server.SendOrderTo(conn, "Message", "Supported values: {0}".F(startUnitsInfo.Select(su => su.ClassName).JoinWith(", ")));
+							return true;
+						}
 
-						server.LobbyInfo.GlobalSettings.StartingUnitsClass = s;
+						server.LobbyInfo.GlobalSettings.StartingUnitsClass = selectedClass.Class;
 						server.SyncLobbyGlobalSettings();
-						server.SendMessage("{0} changed Starting Units to {1}.".F(client.Name, className));
+						server.SendMessage("{0} changed Starting Units to {1}.".F(client.Name, selectedClass.ClassName));
 
 						return true;
 					}
@@ -638,9 +644,18 @@ namespace OpenRA.Mods.Common.Server
 							return true;
 						}
 
-						server.LobbyInfo.GlobalSettings.StartingCash = Exts.ParseIntegerInvariant(s);
+						var startingCashOptions = server.Map.Rules.Actors["player"].TraitInfo<PlayerResourcesInfo>().SelectableCash;
+						var requestedCash = Exts.ParseIntegerInvariant(s);
+						if (!startingCashOptions.Contains(requestedCash))
+						{
+							server.SendOrderTo(conn, "Message", "Invalid starting cash value selected: {0}".F(s));
+							server.SendOrderTo(conn, "Message", "Supported values: {0}".F(startingCashOptions.JoinWith(", ")));
+							return true;
+						}
+
+						server.LobbyInfo.GlobalSettings.StartingCash = requestedCash;
 						server.SyncLobbyGlobalSettings();
-						server.SendMessage("{0} changed Starting Cash to ${1}.".F(client.Name, s));
+						server.SendMessage("{0} changed Starting Cash to ${1}.".F(client.Name, requestedCash));
 
 						return true;
 					}
@@ -660,6 +675,14 @@ namespace OpenRA.Mods.Common.Server
 							return true;
 						}
 
+						var techlevels = server.Map.Rules.Actors["player"].TraitInfos<ProvidesTechPrerequisiteInfo>().Select(t => t.Name);
+						if (!techlevels.Contains(s))
+						{
+							server.SendOrderTo(conn, "Message", "Invalid tech level selected: {0}".F(s));
+							server.SendOrderTo(conn, "Message", "Supported values: {0}".F(techlevels.JoinWith(", ")));
+							return true;
+						}
+
 						server.LobbyInfo.GlobalSettings.TechLevel = s;
 						server.SyncLobbyInfo();
 						server.SendMessage("{0} changed Tech Level to {1}.".F(client.Name, s));
@@ -773,6 +796,16 @@ namespace OpenRA.Mods.Common.Server
 						if (server.LobbyInfo.Slots[targetClient.Slot].LockFaction)
 							return true;
 
+						var factions = server.Map.Rules.Actors["world"].TraitInfos<FactionInfo>()
+							.Where(f => f.Selectable).Select(f => f.InternalName);
+
+						if (!factions.Contains(parts[1]))
+						{
+							server.SendOrderTo(conn, "Message", "Invalid faction selected: {0}".F(parts[1]));
+							server.SendOrderTo(conn, "Message", "Supported values: {0}".F(factions.JoinWith(", ")));
+							return true;
+						}
+
 						targetClient.Faction = parts[1];
 						server.SyncLobbyClients();
 						return true;