SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Filterscripts > Includes

Reply
 
Thread Tools Display Modes
Old 04/02/2017, 05:52 PM   #11
GoldenLion
Gangsta
 
GoldenLion's Avatar
 
Join Date: Sep 2014
Location: Estonia
Posts: 944
Reputation: 142
Default Re: safeDialogs - Complete protection against spoofed dialog data!

Quote:
Originally Posted by Lordzy View Post
Thanks for reporting, it has been fixed! I suggest everyone to re-download the latest commit.
The bug is still there. I think it's not possible to fix it as it's impossible to get the whole inputtext.
GoldenLion is offline   Reply With Quote
Old 04/02/2017, 06:21 PM   #12
Lordzy
High-roller
 
Lordzy's Avatar
 
Join Date: Mar 2012
Location: NetherRealm
Posts: 2,698
Reputation: 1177
Default Re: safeDialogs - Complete protection against spoofed dialog data!

Quote:
Originally Posted by PrO.GameR View Post
Ah, one of my half-way finished projects. Great to see one released as I never got around finishing mine.

Here's a suggestion for you, thats a huge array sitting somewhere unused until they use dialogs, so use PVars instead.
I didn't consider using PVars because of their slow performance and also I saw no use of having dialog-string over other scripts. I know there are bulk of data unused which is why I've considered using packed strings. I'll be running few benchmarks and switch over PVars if needed. Thanks for suggesting!

Quote:
Originally Posted by Swedky View Post
Another amazing release! Good job over there Lordz
I'll be looking at the code and tell you if find some bug :P
I'd really be grateful if you find and report them because I haven't tested this include VERY well.

Quote:
Originally Posted by GoldenLion View Post
The bug is still there. I think it's not possible to fix it as it's impossible to get the whole inputtext.
It'd be really helpful if you're pointing out how or what code brings in the false call of OnDialogSpoof. Because I haven't really worked with dialogs since the release of SA-MP 0.3.7. I've noticed now that false calls would be given only if a header type dialog is shown as empty. I really don't know why'd anyone show an empty header dialog but I assume in situations to show an empty inventory, that might be used. ()

A minor update has been done to this include to prevent false alarms on empty header dialog. This is the code I used right now for testing:
pawn Code:
//testing safeDialogs
#define FILTERSCRIPT

#include <a_samp>
#include <safeDialogs>
#include <zcmd>

static const dialogSpoofReasons[][] = {

    {"spoofing dialog ID"},
    {"spoofing list-item"},
    {"spoofing input-text"}
};


public OnDialogSpoof(playerid, spooftype) {

    new
        tempString[144],
        tempName[MAX_PLAYER_NAME + 1]
    ;

    GetPlayerName(playerid, tempName, sizeof(tempName));
    format(tempString, sizeof(tempString), "%s (ID:%d) has been caught for %s",
        tempName, playerid, dialogSpoofReasons[spooftype]);
       
    SendClientMessageToAll(-1, tempString);
   
    print("\a"); //Beep sound.
    print(tempString);
   
    return 0;
}

CMD:showdialog(playerid, params[]) {

    if(isnull(params))
        return SendClientMessage(playerid, 0xFF0000FF, "USAGE : /showdialog [type]");
       
    if(!strcmp(params, "list", true)) {
   
        ShowPlayerDialog(playerid, 1, DIALOG_STYLE_LIST, "DIALOG_STYLE_LIST",
        "Item1\nItem2\nItem3\nItem4", "Select", "Close");
    }
    else if(!strcmp(params, "msgbox", true)) {
   
        ShowPlayerDialog(playerid, 1, DIALOG_STYLE_MSGBOX, "DIALOG_STYLE_MSGBOX",
        "Item1\nItem2\nItem3\nItem4", "Select", "Close");
    }
    else if(!strcmp(params, "header", true)) {
   
        ShowPlayerDialog(playerid, 1, DIALOG_STYLE_TABLIST_HEADERS,
        "DIALOG_STYLE_TABLIST_HEADERS",
        "Item\tIndex\n\
        Item\t1\n\
        Stuff\t2\n\
        Other\t3"
, "Select", "Close");
        /*ShowPlayerDialog(playerid, 1, DIALOG_STYLE_TABLIST_HEADERS,
        "DIALOG_STYLE_TABLIST_HEADERS",
        "Item\tIndex\n", "Select", "Close");*/

    }
    else if(!strcmp(params, "tablist", true)) {
   
        ShowPlayerDialog(playerid, 1, DIALOG_STYLE_TABLIST,
        "DIALOG_STYLE_TABLIST",
        "Item\t1\n\
        Stuff\t2\n\
        Other\t3"
, "Select", "Close");
    }
    else if(!strcmp(params, "input", true)) {
   
        ShowPlayerDialog(playerid, 1, DIALOG_STYLE_INPUT, "DIALOG_STYLE_INPUT",
        "Input some stuff", "Select", "Close");
    }
    return 1;
}

Please re-download the latest commit if you're facing issue with empty header dialogs.
__________________
Currently inactive - I don't play at any SA-MP servers nor work on anything in PAWN for now. The projects that I've done so far in PAWN, which requires updates will be taking some time.
Lordzy is offline   Reply With Quote
Old 04/02/2017, 07:07 PM   #13
GoldenLion
Gangsta
 
GoldenLion's Avatar
 
Join Date: Sep 2014
Location: Estonia
Posts: 944
Reputation: 142
Default Re: safeDialogs - Complete protection against spoofed dialog data!

I printed out the stuff to show you what's up.
This is what the dialog looks like in-game: https://gyazo.com/8f43f40824ac5c85f6e216325d005fcb
This is what it printed when I clicked on the mask:
Code:
inputtext: Mask
tempDListString: {FFFFFF}Mask	  1	0.10 lbs
As you can see the inputtext is the text before the first '\t' and tempDListString is the whole inputtext so strcmp always fails. Also inputtext doesn't include the color so it will call OnDialogSpoof whenever you use a color in any dialog.
GoldenLion is offline   Reply With Quote
Old 05/02/2017, 03:36 AM   #14
Lordzy
High-roller
 
Lordzy's Avatar
 
Join Date: Mar 2012
Location: NetherRealm
Posts: 2,698
Reputation: 1177
Default Re: safeDialogs - Complete protection against spoofed dialog data!

Quote:
Originally Posted by GoldenLion View Post
I printed out the stuff to show you what's up.
This is what the dialog looks like in-game: https://gyazo.com/8f43f40824ac5c85f6e216325d005fcb
This is what it printed when I clicked on the mask:
Code:
inputtext: Mask
tempDListString: {FFFFFF}Mask	  1	0.10 lbs
As you can see the inputtext is the text before the first '\t' and tempDListString is the whole inputtext so strcmp always fails. Also inputtext doesn't include the color so it will call OnDialogSpoof whenever you use a color in any dialog.
The first issue you stated was fixed on v1.0.1 of this include because strings would be compared up to the length of inputtext only. Color embedding is something I've forgot - fixed now!

v1.0.2 has been released!

- Fixes false calls on dialog lists having color embedding.
- Include is completely stand-alone now. It requires no script_compatibility include since it was a problem for users using YSI.

Please re-download the latest commit of this include. If you find any more issues, please post on this topic as it'd really be helpful.
__________________
Currently inactive - I don't play at any SA-MP servers nor work on anything in PAWN for now. The projects that I've done so far in PAWN, which requires updates will be taking some time.
Lordzy is offline   Reply With Quote
Old 05/02/2017, 12:40 PM   #15
PrO.GameR
Gangsta
 
PrO.GameR's Avatar
 
Join Date: Oct 2012
Posts: 694
Reputation: 121
Default Re: safeDialogs - Complete protection against spoofed dialog data!

It's really a shame that we can't use the whole inputtext line in tablists.
Good job on fixing everything I was concerned with, adding it to my server.
__________________
Blueberry Prison Roleplay will be back soon!
Follow the forums for more information about opening day.

Forums
PrO.GameR is offline   Reply With Quote
Old 06/02/2017, 03:35 PM   #16
Lordzy
High-roller
 
Lordzy's Avatar
 
Join Date: Mar 2012
Location: NetherRealm
Posts: 2,698
Reputation: 1177
Default Re: safeDialogs - Complete protection against spoofed dialog data!

EDIT : Never mind this function - v1.0.3 supports a better version of this function.

Quote:
Originally Posted by PrO.GameR View Post
It's really a shame that we can't use the whole inputtext line in tablists.
I wrote a function that can get you the whole inputtext line for tablists and header using this include. I couldn't test this since I'm not at home these days, typed these on my mobile. I'd be grateful if someone tests to see if it works.
pawn Code:
#include <a_samp>
#include <safeDialogs>

GetPlayerDialogItem(playerid, listitem, dest[], size = sizeof(dest)) {

    new
        initPoint,
        endPoint,
        tempCounts,
        dStr[MAX_DIALOG_STRING],
        dLen
    ;

    tempCounts = (GetPlayerDialogStyle(playerid) == DIALOG_STYLE_TABLIST_HEADERS) ? -2 : -1;
    GetPlayerDialogInfo(playerid, dStr, sizeof(dStr));
    dLen = strlen(dStr);

    for(endPoint = 0; endPoint < dLen; endPoint++) {

        if(dStr[endPoint] == '\n') {

            if(++tempCounts == listitem)
                break;
            initPoint = endPoint;
        }
    }
    if(initPoint != 0)
        initPoint++;

    strmid(dest, dStr, initPoint, endPoint, size));
    return 1;
}

Usage:
pawn Code:
public OnDialogResponse(...) {

    if(dialogid == sometablistID) {

        new
            listStr[256];
       GetPlayerDialogItem(playerid, listitem, listStr);
       //listStr now contains the item's string regardless of player's input.
      //It's the raw data which even includes color embedding.
__________________
Currently inactive - I don't play at any SA-MP servers nor work on anything in PAWN for now. The projects that I've done so far in PAWN, which requires updates will be taking some time.

Last edited by Lordzy; 08/02/2017 at 05:18 PM.
Lordzy is offline   Reply With Quote
Old 08/02/2017, 05:17 PM   #17
Lordzy
High-roller
 
Lordzy's Avatar
 
Join Date: Mar 2012
Location: NetherRealm
Posts: 2,698
Reputation: 1177
Default Re: safeDialogs - Complete protection against spoofed dialog data!

safeDialogs - v1.0.3 (optional/minor update) released!

- Added a static-global array to handle huge strings, thereby freeing more heap space. If you were facing any heap space related warning after including safeDialogs earlier, it should be fixed now.
- Improved list-item filtering. There used to be a confusion for non-hex codes between curly braces in list-item string, no more now though!
- Added new function : GetPlayerDialogItem - It stores the list-item string/data into destination. Using this function, you don't have to rely on inputtext for list-type dialogs to get their string data. In cases of DIALOG_STYLE_TABLIST or DIALOG_STYLE_TABLIST_HEADERS - it stores the complete list-item data.
pawn Code:
GetPlayerDialogItem(playerid, listitem, dest[], bool:filter = false, size = sizeof(dest));

playerid - The player to obtain data from.
listitem - The listitem of which data/string has to be obtained.
dest[] - Array to store string/data.
filter = false - Whether to filter the contents in a list-item. If filter is set to true,
                   it will automatically remove color embedding and make it look like
                   how it's shown to clients / players.
                   If filter is set to false (by default it'
s false), it will show the raw data
                   which may or may not include color embedding, depending on how the
                   code is.
size = sizeof(dest) - The size of destination array.
- Fixed functions : Functions from safeDialogs can now be used under OnDialogResponse and OnDialogSpoof.
- Include initialization won't call OnPlayerConnect completely anymore, instead it only resets necessary variables. This also means that "_ALS_" hook errors upon including certain libraries along with safeDialogs, are fixed.

This is an optional update, but I'd recommend anyone using this include to update to the latest version.

-----


Output of how the whole text can be retrieved for tabbed dialogs. (The same applies for header type dialogs)

pawn Code:
ShowPlayerDialog(playerid, 1, DIALOG_STYLE_TABLIST,
"DIALOG_STYLE_TABLIST",
"Item\t1\n\
{FF0000}Stuff\t2\n\
{FFFaf9}Other\t3"
, "Select", "Close");

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[]) {

    if(dialogid == 1) {
   
        new
            tmpString[256];
           
        GetPlayerDialogItem(playerid, listitem, tmpString, false, sizeof(tmpString));
        //filter is false - This output can include color embedding if the script has done so.
        printf("%s", tmpString);
       
        tmpString[0] = EOS;
        GetPlayerDialogItem(playerid, listitem, tmpString, true, sizeof(tmpString));
        //filter is true - It will print the text exactly like how clients view in game.
        printf("%s", tmpString);
       
        return 1;
    }
    return 0;
}

Output: (I selected each and every list-items)
Code:
Item	1
Item	1
{FF0000}Stuff	2
Stuff	2
{FFFaf9}Other	3
Other	3
__________________
Currently inactive - I don't play at any SA-MP servers nor work on anything in PAWN for now. The projects that I've done so far in PAWN, which requires updates will be taking some time.

Last edited by Lordzy; 09/02/2017 at 01:15 AM.
Lordzy is offline   Reply With Quote
Old 12/02/2017, 06:30 PM   #18
GoldenLion
Gangsta
 
GoldenLion's Avatar
 
Join Date: Sep 2014
Location: Estonia
Posts: 944
Reputation: 142
Default Re: safeDialogs - Complete protection against spoofed dialog data!

OnDialogSpoof got called for no reason again and the spoof type was dialog ID. This is what my dialog looked like: https://gyazo.com/ed8c0f8b1d392086fd890bb8d15579f7
Responding to it showed this dialog:
https://gyazo.com/f88309606a29a632457e6f7e1966fc22
and after I responded to the second dialog OnDialogSpoof got called.
I printed the dialog IDs:
Code:
dialogid: 52
g_LSafeDialogs_Player[playerid][e_L_SD_pDIALOG_ID]: -1
I tried going through the include, but I couldn't find what's causing that. It was working before the 1.0.3 update though.
GoldenLion is offline   Reply With Quote
Old 12/02/2017, 11:58 PM   #19
Lordzy
High-roller
 
Lordzy's Avatar
 
Join Date: Mar 2012
Location: NetherRealm
Posts: 2,698
Reputation: 1177
Default Re: safeDialogs - Complete protection against spoofed dialog data!

Quote:
Originally Posted by GoldenLion View Post
OnDialogSpoof got called for no reason again and the spoof type was dialog ID. This is what my dialog looked like: https://gyazo.com/ed8c0f8b1d392086fd890bb8d15579f7
Responding to it showed this dialog:
https://gyazo.com/f88309606a29a632457e6f7e1966fc22
and after I responded to the second dialog OnDialogSpoof got called.
I printed the dialog IDs:
Code:
dialogid: 52
g_LSafeDialogs_Player[playerid][e_L_SD_pDIALOG_ID]: -1
I tried going through the include, but I couldn't find what's causing that. It was working before the 1.0.3 update though.
Are you using multiple filterscripts that uses dialog features? If so, please wait because I'll have to change the data structure to use PVars. I'm currently on a tour and will be updating as soon as I get back.

If what I said is your problem, for now return 1 under your OnDialogResponse. If this isn't the problem, try compiling with v1.0.2 (can be taken from commit history) and see if it's working well or not.

Edit : One more thing I'd like to add - Are you calling OnDialogResponse callback explicitly anywhere on your code? Also let me know if you're using easyDialogs or not.
__________________
Currently inactive - I don't play at any SA-MP servers nor work on anything in PAWN for now. The projects that I've done so far in PAWN, which requires updates will be taking some time.
Lordzy is offline   Reply With Quote
Old 13/02/2017, 10:48 AM   #20
GoldenLion
Gangsta
 
GoldenLion's Avatar
 
Join Date: Sep 2014
Location: Estonia
Posts: 944
Reputation: 142
Default Re: safeDialogs - Complete protection against spoofed dialog data!

Quote:
Originally Posted by Lordzy View Post
Are you using multiple filterscripts that uses dialog features? If so, please wait because I'll have to change the data structure to use PVars. I'm currently on a tour and will be updating as soon as I get back.

If what I said is your problem, for now return 1 under your OnDialogResponse. If this isn't the problem, try compiling with v1.0.2 (can be taken from commit history) and see if it's working well or not.

Edit : One more thing I'd like to add - Are you calling OnDialogResponse callback explicitly anywhere on your code? Also let me know if you're using easyDialogs or not.
I don't have any filterscripts nor easyDialogs include and I don't call OnDialogResponse anywhere. Also I return 1 there already, I never return 0. :P I'll try 1.0.2.
GoldenLion is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Spoofed Cookie Issue Rick General 14 06/07/2016 03:31 AM
[Tutorial] Protection against '%' dialog vulnerability! Metharon Tutorials 3 06/06/2016 04:21 PM
Not saving complete data XaibBaba Scripting Help 0 10/06/2015 03:48 PM
[Dialog] Listing MySQL data inside a List Dialog vIBIENNYx Scripting Help 11 10/09/2012 11:19 PM
Player Protection. Like Protection when entering checkpoint. and interior. stevestelford Scripting Help 2 08/06/2012 12:03 AM


All times are GMT. The time now is 12:51 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.