'Script_DestroySignalEntryListHead' is the last function to be called before 'init.nut' is loaded and parsed. Defining "DEVELOPER" with value of "developer" convar allows us to utilize this constant in 'init.nut'.
In this retail engine, "DEV" is always zero, except for scripts.rson. I think Respawn Entertainment defined this as zero for production builds under each context except the global one.. To fix this problem, we define a new constant named "DEVELOPER", change all references in scripts that where DEV (now R5DEV due to legacy reasons to mitigate this problem), to DEVELOPER. When the game is launched with -dev, anything within #if DEVELOPER with compiled, like the development behavior of DEV.
Calling Host_Error at this stage will cause a dead lock. Removed the call after performing several test (i think the reason all error calls are removed as of Titanfall 2 and Apex Legends (compared to Titanfall 1) is for this reason). Returning false does the job and allows the client to recover as soon as a valid packet comes in.
Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/
Client's can run string commands on the server with no rate limit. This means when you run 50k+ commands that are unknown, or spam 30k 'status' commands, you will be able to hang the server for 800/1200ms (15k/30kms if script printing to console is enabled!). Although the netchan processing budget system will kick you, the damage has already been done at this point. This change effectively breaks the ability to DOS the server from the client using networked string commands.
In easier words; binding 'status' to your mousewheel will get you kicked from the server, without hitching the server.
* Check if m_MessageHandler is removed before running limit test.
* Add warning DevMsg if client exceeds value.
* Default 'net_processTimeBudget' value to '200'.
* Fixed bug where the in-game console could not color the line when no newline was found.
* Changed behavior to only newline when: '\n' has been found, or the context has changed (using a print without newline will continue to print on the same line in the console).
* Pass ImVec4 parameter in 'CTextLogger::InsertTextAt' by reference.
* Use 'CClient::Disconnect(..)' for all kicks and bans (this automatically clears the entire CClient slot, and removes the net channel).
* Only force disconnect when 'CNetChan::m_nSignonState' has a value that is not NULL.
* Clear the ServerPlayer slot on 'CClient::Disconnect(..)' and 'CClient::Connect(..)'.
* Only kick player for NetChannel overflow when value exceeds processing budget (not equals).
Implement net message process budget (channel gets removed if value is exceeded).
Use 'net_processLimit' to enable the implementation on the server. It will get enabled by default after testing and some cleanup. This helps against people trying to slow the server down by spamming net messages with a higher rate, e.g. using 'bind "mousewheel_up" "status"'.
Everything marked '( !slower! )' could potentially slow the process down through usage or abuse (script prints could be abused as conhost is slow and bottlenecks the thread, they are by default only logged using SpdLog, which is very fast and won't cause a hitch even when you dump 2 live netchannels).
Removed extraneous 'FCVAR_SERVER_CAN_EXECUTE' flag. We disconnect clients using 'CClient::Disconnect(..)', relying on the client is useless without an anti-cheat and anti-tamper. Client can still use this to disconnect on its own though.
'migrateme' seemed useless as well, removed 'FCVAR_SERVER_CAN_EXECUTE'.
This makes all 'FCVAR_SERVER_CAN_EXECUTE' require 'FCVAR_DEVELOPMENTONLY' to be stripped, in order to execute without the '-devsdk' parameter (development launch arg),
