portal2 icon indicating copy to clipboard operation
portal2 copied to clipboard
verified publisher icon ValveSoftware

Executing commands without the `FCVAR_SERVER_CAN_EXECUTE` flag in multiplayer through `point_clientcommand` or `point_broadcastclientcommand` entities are prevented from being ran by the game.

Open NathanL1370 opened this issue 1 year ago • 3 comments

This wasn't an issue before, but it seemingly now is.

Recent updates for Portal 2 caused commands without the server_can_execute flag (such as upgrade_potatogun) executed by point_clientcommand or point_broadcastclientcommand entities return FCVAR_SERVER_CAN_EXECUTE prevented server running command: upgrade_potatogun in the console. The command only goes through if said command is ran through a point_servercommand entity or ran manually by the client's console.

  1. Open Portal 2 and launch any coop map in splitscreen (ss_map mp_coop_lobby_3)
  2. Create a point_clientcommand or point_broadcastclientcommand entity by running ent_create point_clientcommand or ent_create point_broadcastclientcommand in the console. Make sure you have typed sv_cheats 1 before doing this
  3. Attempt to run a command without server_can_execute flag through the clientcommand/broadcastclientcommand entity by running ent_fire point_clientcommand command "<command without server_can_execute flag>" or ent_fire point_broadcastclientcommand command "<command without server_can_execute flag>" in the console (for example, upgrade_potatogun). The console should now return the FCVAR_SERVER_CAN_EXECUTE prevented server running command: <command without server_can_execute flag>. The example command is upgrade_potatogun, which does not have the server_can_execute flag, should return FCVAR_SERVER_CAN_EXECUTE prevented server running command: upgrade_potatogun.

I don't know if this change was meant to combat RCE exploits and crashes, or if it's a bug with the game. I have tested this on Windows and Steam Deck, both platforms have this issue. Linux and Mac may also be affected.

Image showing the problem: 20240604143220_1

NathanL1370 avatar Jun 04 '24 22:06 NathanL1370

I noticed this recently too. This is actually unrelated to commands being cheats, the game now disallows remote servers from executing any command that doesn't have the flag FCVAR_SERVER_CAN_EXECUTE in code. You can see which commands have it by typing help <command>, and seeing if the output shows server_can_execute - it's not many.

This is technically a security fix (disallowing servers from running arbitrary commands on connected clients), and is enabled in every other Source 1 multiplayer game, but Portal 2 has never had it turned on until a recent update. I'm really not happy with the fact that this was randomly changed in an update 13 years after the game's release after hundreds of workshop maps have already been made which rely on the original behavior. It completely prevents a lot of cool/useful things that could previously be done in co-op with VScript/commands, further restricting what is probably already the most restricted Source 1 game when it comes to modding.

As a compromise, it would be nice to have a new cvar added which restores the original behavior. Said cvar should obviously not be flagged with FCVAR_SERVER_CAN_EXECUTE itself, since that would allow servers to just turn off the restrictions, but a user who specifically wanted that behavior or was playing a map which required it could turn it off themselves.

vrad-exe avatar Jun 05 '24 06:06 vrad-exe

I'm really not happy with the fact that this was randomly changed in an update 13 years after the game's release after hundreds of workshop maps have already been made which rely on the original behavior. It completely prevents a lot of cool/useful things that could previously be done in co-op with VScript/commands, further restricting what is probably already the most restricted Source 1 game when it comes to modding.

Now that you mention it, I am actually making a Portal 2 mod that ports the singleplayer maps to coop and it heavily relies on using commands without the server_can_execute flag. They are also executed through the point_broadcastclientcommand entity. With the latest update of Portal 2, point_broadcastclientcommand almost becomes entirely useless because those commands would be blocked by the FCVAR_SERVER_CAN_EXECUTE error.

This is actually unrelated to commands being cheats, the game now disallows remote servers from executing any command that doesn't have the flag FCVAR_SERVER_CAN_EXECUTE in code. You can see which commands have it by typing help , and seeing if the output shows server_can_execute - it's not many.

That's true, I should probably edit the title and description. Thanks for clarifying.

As a compromise, it would be nice to have a new cvar added which restores the original behavior. Said cvar should obviously not be flagged with FCVAR_SERVER_CAN_EXECUTE itself, since that would allow servers to just turn off the restrictions, but a user who specifically wanted that behavior or was playing a map which required it could turn it off themselves.

That would work, as long as said cvar can be changed through a point_servercommand in some cases. In the case of my mod that I am working on, it would definitely be required to be off at all times for my mod to work properly (and possibly other coop maps that rely on those commands).

However, leaving it disabled brings back the possibility that bad actors, trolls, and hackers can use it for remote code execution exploits, making the convar completely useless on what it was supposed to do, and could create more issues than solve them if not properly addressed.

NathanL1370 avatar Jun 05 '24 16:06 NathanL1370

#437 describes 2 commands that are affected by the FCVAR_SERVER_CAN_EXECUTE flag. More details there.

NathanL1370 avatar Jun 05 '24 23:06 NathanL1370