arrai

Great, but give him that not-so-public address. Otherwise his mail could be missed in all that spam

It's part of his mangos management suite: http://game-trac.fragfrog.nl/browser/source/server/src/mangos/SoapInterface.java

Excellent, it has been committed to both master and mangos-0.12

The SV semaphore is only available under posix systems, please check if it works with only that patch applied: http://gist.github.com/317824

Maybe semaphores are bugged under windows, please check if the problem persists with this hackfix: http://gist.github.com/317778 Btw, are you using a 64bit version of windows 2003?

I couldn't reproduce that problem under linux with mangos-0.12 at a208fd2a8264b1142cac0249dc9be064955cc7c6. What OS do you use?

It has been fixed before committing, there is no need to do anything if you use the mangos master branch

Thanks for testing Maik, the output is the command specific return value. The announce command simply lacks of this - in contrast to "server info" or "lookup item". It's always the text a GM char would see ingame

You're right UnkleNuke, the first 3 post originated from the same IP address

Thanks, I've added that patch in e2f8686b37ab9cef9773f1a6a91a0190992c9344

Derex has pointed out that there was an issue with more than 1024 connected players. It has been fixed in MaNGOS_soap_patch_2010_02_23_00_31_55.diff, huge thanks for that

While the telnet interface is clearly a better approach than the database as IPC antipattern, it has some limitations. Currently only one user is allowed to login, which can become a problem for crowded websites. Some form of queuing is needed serverside. Another issue is the missing specification; you can hardly say if an output of a command ended or if other lines will follow, which makes automated use of the telnet interface difficult. In order to eliminate these restrictions, I started to implement a SOAP interface. After authenticating, you will send your commands encapsulate in a SOAP request. You will either receive a success message or a SOAP fault message. Handling things with this will be far more easy, expect a fiveliner in php It's in an early state of development, but if you're interested you might want to have a look at it: http://github.com/arrai/mangos/commits/mangossoap

Mangosd, realmd and mysqld (with mangos tables) on Quad Core httpd and another mysqld(with http related databases as forum, dynamic page content etc.) on core2duo

No, this information is exported to the vmaps but currently not used. I started by making vmap_exporter linux compatible, but I hibernated that project due to a lack of time

Fixed in 9341

Fixed in 9334

Quickfix (players won't get XP instead of crashing the server): http://paste2.org/p/657551

UDB MaNGOS ScriptDev2 / ACID

I had a glimpse on your patch and might have found a flaw: + // AddDamage total dealt from players to creatures + if (pVictim->GetTypeId() == TYPEID_UNIT && !((Creature*)pVictim)->isPet() && !((Creature*)pVictim)->hasLootRecipient() && this->GetTypeId() == TYPEID_PLAYER) + { + ((Creature*)pVictim)->AddDamage(this,damage); + sLog.outDetail("DealDamage: total dmg done:%d to maxhealth:%d by %u", pVictim->m_DamageManager.totalDamage(), pVictim->GetMaxHealth(), this->GetGUID()); + } What about pets, which are owned by a player, dealing damage? It would sadden warlocks and hunters for sure if they'd have to deal at least 50% of the damage themself. I suggest to use Unit::isCharmedOwnedByPlayerOrPlayer() instead

welcome lightguard

I can't see how this is related to the ongoing discussion about sha_pass_hash; you could build such a service in both cases. However, I think it would be an overkill: A feature wich requires quite some work, creates an additional library dependency and is rarely used. Furthermore, as DasBlub already mentioned, it requires some considerations about securing that web-service.

I consent with you, redundancy is (in this case) a bad thing. However, we could use a trigger to truncate v and s once sha_pass_hash is modified. That way we would prevent contradicting data The whole "make sha_pass_hash a config option" makes IMHO only sense if we keep sha_pass_hash even if it's disabled. I will reset the vote to allow that new option. It's the first time I used GMP in php To check robustness, I could write a test which generates random passwords and validates the generated v. It wouldn't prove correctness (we all know Dijkstra famous quote ) but make a failure less unlikely.

Hi folks, since a commit some months ago, we actually don't need sha_pass_hash anymore. v and s, which are stored since that commit persistently, are sufficient to authenticate a user. To explain this issue, I refer to the SRP6 specifications. s is basicly some random number to prevent precalculated attacks and v is something(for detailed information have a look at the specs; it's not really important to understand the math behind it to get my point) to check whether a given password is correct. It boils down to the following: Everytime a useraccount is created or updates his password, s and v are calculated and stored in the database. But what about sha_pass_hash? The stanford document doesn't mention it (l is the username=login): Furthermore, it doesn't mention anything like SHA(UPPER(username):UPPER(password)), which is how sha_pass_hash is calculated. The alarming truth is that MaNGOS' sha_pass_hash is actually SRP's Cleartext Password. That means, that anybody who has gained reading access to mangos.realmd can authenticate himself using a modified or non-standard client. The obvious solution is to drop sha_pass_hash and thus enhance security. However, there are two problems which prevented this step: * Many 3rd party applications use sha_pass_hash to verifiy user passwords. All of them would have to be adapted to use only s and v. I already wrote a php class which handles the cryptography, but it requires the GMP extension. * There might be accounts which haven't logged in since that commit, thus s and v are null. Because it's impossible to generate them from sha_pass_hash using pure SQL, there would be the need for executing a script before applying the SQL update which drops the column. This would be either a php script or a c++ application. So what's your opinion? security > usability?

Of course it's possible, it's just a bunch of work. Most probably nobody implemented it, because the effort/benefit consideration is too bad

The most efficient way is to read it from the wow process itself - simply memory reading as it's done there: http://hg.sharesource.org/sniffitzt/file/04b874f8d78d/tools/SniffitztClient.cpp If you don't plan to write the decryption part on your own, you also might want to have a look at the whole project http://sharesource.org/project/sniffitzt/