the parameter check for '-novid' has been removed from S2 onwards, but later added back in. Our S3 build doesn't have it as well. This commit adds it back in and allows user to launch the game without the startup video's by adding '-novid' to the launch arguments. ('-dev' also works, but this enables developer and sv_cheats..).
Must be passed from the launcher, as this is removed from the configuration files for prod. Ticking the development box will pass '-dev' and '-devsdk'.
If the client happens to exceed the quota by accident, the client will not be disconnected. This is a quality of life change. Client could still increase cl_quota_stringCmdsPerSecond to allow more submissions per second, or disabling the throttle entirely by setting cl_quota_stringCmdsPerSecond to 0.
'Script_DestroySignalEntryListHead' is the last function to be called before 'init.nut' is loaded and parsed. Defining "DEVELOPER" with value of "developer" convar allows us to utilize this constant in 'init.nut'.
In this retail engine, "DEV" is always zero, except for scripts.rson. I think Respawn Entertainment defined this as zero for production builds under each context except the global one.. To fix this problem, we define a new constant named "DEVELOPER", change all references in scripts that where DEV (now R5DEV due to legacy reasons to mitigate this problem), to DEVELOPER. When the game is launched with -dev, anything within #if DEVELOPER with compiled, like the development behavior of DEV.
Calling Host_Error at this stage will cause a dead lock. Removed the call after performing several test (i think the reason all error calls are removed as of Titanfall 2 and Apex Legends (compared to Titanfall 1) is for this reason). Returning false does the job and allows the client to recover as soon as a valid packet comes in.
Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/
Client's can run string commands on the server with no rate limit. This means when you run 50k+ commands that are unknown, or spam 30k 'status' commands, you will be able to hang the server for 800/1200ms (15k/30kms if script printing to console is enabled!). Although the netchan processing budget system will kick you, the damage has already been done at this point. This change effectively breaks the ability to DOS the server from the client using networked string commands.
In easier words; binding 'status' to your mousewheel will get you kicked from the server, without hitching the server.
