[11147]Check Validity of Action Bar Slots for addActionButton

[nos4r2zod]

What bug does the patch fix? What features does the patch add?

This patch fixes a potential exploit with multicast bars (currently only totem bars use this).

Spell:EffectSummonAllTotems checks through the player's action buttons in order to find which totems to cast. This makes it a rare case where a mangos spell implementation is dependent on information on the client's UI.

This can currently be exploited by third party programs which can place spells on the totem bar that are not normally allowed by client. Doing so allows those spells (even passive abilities/talents) to be cast on self with Call of the Elements/Ancestors/Spirits instantly.

The patch prevents passive spells from being put on action bars in general, and checks that only totem spells are placed the totem bar using AttributesEx7 data.

For which repository revision was the patch created?

10755

Is there a thread in the bug report section or at lighthouse? If yes, please add a link to the thread.

Nope.

Who has been writing this patch? Please include either forum user names or email addresses.

Myself

Patch: http://paste2.org/p/1099765

Edit: Typo in defines fixed

Edit2: Update after 10693

[michalpolko]

This can currently be exploited by third party programs which can place spells on the totem bar that are not normally allowed by client. Doing so allows those spells (even passive abilities/talents) to be cast on self with Call of the Elements/Ancestors/Spirits instantly.

maybe such info should be stored on the server's side?

[nos4r2zod]

maybe such info should be stored on the server's side?

That's exactly what mangos does currently.

[Ambal]

In [11147]. Thank you very much, nos4r2zod