GMDprivateServer icon indicating copy to clipboard operation
GMDprivateServer copied to clipboard

Published 20 hours ago verified publisher icon Cvolton

Scan uploaded levels for ACE

Open 0x1DEA opened this issue 1 year ago • 5 comments

Added a LevelParser class which scans uploads for invalid things. I'd like someone with access to a PoC level to test on a local installation. And also sanity check my late-night code.

0x1DEA avatar May 26 '23 05:05 0x1DEA

Using PHP's SPL gzread() function you can read the uncompressed data in a loop. Changing the parser, the pickup trigger scan can be done incrementally. However the code uses zlib_decode() I am still researching the specifics but I was unable to use the gz functions to decompress the level string. Only zlib_decode() seemed to work. This is only an issue for extremely large levels like Ocular Miracle which result in an out-of-memory error.

0x1DEA avatar May 26 '23 20:05 0x1DEA

Fixed various things. I think this also necessitates a server scan utility for existing levels.

0x1DEA avatar May 27 '23 13:05 0x1DEA

does this support levelstrings compressed with both gzdeflate (H4sIAAA header in b64) and gzcompress (eJ header in b64), as well as uncompressed levelstrings?

Cvolton avatar May 28 '23 13:05 Cvolton

does this support levelstrings compressed with both gzdeflate (H4sIAAA header in b64) and gzcompress (eJ header in b64), as well as uncompressed levelstrings?

Yes, zlib_decode() works on both deflate and gzip data. When the level string is uncompressed, the b64 and decompression don't run.

0x1DEA avatar May 28 '23 15:05 0x1DEA

Yes, zlib_decode() works on both deflate and gzip data. When the level string is uncompressed, the b64 and decompression don't run.

Correction, it works as described but I haven't added the magic for deflate so it doesn't run. I'll fix this when I get home.

0x1DEA avatar May 28 '23 17:05 0x1DEA