arrai

The password itself or even the hash (sha(name : password)) is never sent by the client. Instead, SRP-6 is used to authenticate the user: http://srp.stanford.edu/design.html That protocol is unattackable by eavesdroppers

Fixing the other issues (pictures and manipulated links in general) should be discussed in the bugtracker: https://mangos.lighthouseapp.com/projects/18208/tickets/200-chat-colored-text

I thought about that issue once again and came to the conclusion, that this patch won't completly fix the problem: If a creature has a lootid and the random loot generation function produces an empty loot, the lootable animation will still show up

Why don't you prevent setting that flag at all? The function you modified is only used if different player should see different values.

There are two kind of waters: ADT and WMO based. These mentioned fishing areas are realized by using WMOs with liquid types. These information are extracted to the vmap format, but not used yet - it's simply not implemented

That's bogus, you can just rename the addon and any disabler will fail. Scanning messages for such strings is the only (and official) way.

Yes, you can post .blp images on the chat, that's the way how GM status is faked: CMStringSpecial = Skipline.."\\124cffff80ff\\124TInterface\\\\ChatFrame\\\\UI-ChatIcon-Blizz.blp:18:12:0:0\\124 If we want to prevent this, we have to scan every chatmessage for valid \\124 commands - if we disallow them at all ingame linking of quests/items wouldn't work either.

He posted the current mangos code, not a patch - so what do you all thank him for? I had a brief look at that addon, it uses \\n to seperate the players message from the faked one. So you could add that char to the list: diff --git a/src/shared/Util.cpp b/src/shared/Util.cpp index fa18ad9..0b70aac 100644 --- a/src/shared/Util.cpp +++ b/src/shared/Util.cpp @@ -73,7 +73,7 @@ Tokens StrSplit(const std::string &src, const std::string &sep) void stripLineInvisibleChars(std::string &str) { - static std::string invChars = " \\t\\7"; + static std::string invChars = " \\t\\7\\n"; size_t wpos = 0; That way the faked messages should be in the same line as the players message - it should be pretty obvious. However, this doesn't prevent posting pictures in chats, this requires some deeper analysis of each message.

It's initialized with the sessionkey, I did some research some months ago: https://sharesource.org/hg/sniffitzt/file/af5505e0931c/src/sniffitzt/WardenHandler.java

Compression defines what deflate level is used for compressing SMSG_COMPRESSED_UPDATE_OBJECT - it has nothing to do with threads at all!

No, the problem lies somewhere else: http://en.wikipedia.org/wiki/SQL_injection

Set DetectPosCollision=0 in mangosd.conf

it's not a bug: http://www.wowwiki.com/Guards

It's not possbile to send items using the database while mangos is running, mangos will most likely overwrite the entries in item_instance. However, you can use the remote admin console therefore. Have a look at the send items command, the syntax is: send items #playername "#subject" "#text" itemid1[:count1] itemid2[:count2] ... itemidN[:countN]

All other Quests had an additional dummy spell which handled despawning, see http://www.wowhead.com/?spell=51961 http://www.wowhead.com/?spell=50918 http://www.wowhead.com/?spell=50926 http://www.wowhead.com/?spell=46167 or http://www.wowhead.com/?spell=61832. So most probably there is also a dummy spell for that quest. Once you found it, it requires additional scripting, of course

You're right, my statement only refers to mangos-0.12 - it has been changed in master. You can use this patch to remove that push down: [vladimir: hack wrong code removed]

"Open end" is not possible on computers - every datatype is limited. It's no problem to set the security level of some accounts higher than 3 and modify required security level in the commands table. However, certain freatures are hardcoded to special gmlevels - like adding players of the oposide faction to your friendlist and chatting with them^_^

I verified that it's a missing summon type - i will try to change the whole hardcoded summontype system by using SummonProperties.dbc.I've updated my patch to implement despawning the NPS and added a better vehicle support - they also work using CMSG_SPELLCLICK. Here are some example values, which will allows both picking up npc # 28389 and mounting npc #27629 INSERT INTO `npc_spellclick_spells` (`npc_entry`, `spell_id`, `quest_id`, `cast_flags`) VALUES (28389, 51592, 12605, 1), (28389, 51593, 12605, 3), (27629, 49256, 0, 1); Please test:)

I just queried those items and they have the flags 268435520 and 268439616, which both contain 268435456. So the theorie seems to be right

I don't guess so, spell http://www.wowhead.com/?spell=51593 has ImplicitTargetA=25. So either our implementation of that targettype is wrong or the solution I suggested is correct Yes, I will remove that code in a later version Try to set quest=0 in npc_spellclick_spells. Did you gave that npc the SPELLCLICK flag? Might be a missing summontype.

In order to discuss things with these guys, there will be an IRC meeting: rizon.net#reunification at 6pm GMT tomorrow To avoid the confusion I had with these timezones there is a nice link with a relative time display http://www.timeanddate.com/counters/customcounter.html?day=30&month=04&year=2009&hour=6pm&min=0&sec=0&p0=0 It would be nice if as much as possible of you could participate, only then we can make obligatory descisions

I wrote a patch which should provide that feature in an official way. Please test and give feedback

I just had a conversation with X-Savior about taking over some developers from trinity So what do you think about it? I'm thinking similar as Savior - if we adept them we can still demot them. Maybe give them a chance as "trial developers"?

Did you find that spellid somewhere in the UNIT_FIELD or do we have to add a new table spellclick_links(int npc_entry, int spellid)?

Just replace SetStatFloatValue(PLAYER_PARRY_PERCENTAGE, value); by SetStatFloatValue(PLAYER_PARRY_PERCENTAGE, value>70.0f?70.0f:value); That should do the trick