User:Taffer

From OuroDev
Revision as of 07:28, 11 May 2019 by Taffer (talk | contribs) (looked into current 3rdparty/* code usage)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Being a place for notes about my investigation into the code. I'm focusing on security.

General

What are these _test folders for? Not unit tests (lulz of course not), just one project file...

3rdparty

As of 2019-05-11, here's a list of which 3rdparty directories are referenced from which projects:

  • 3dsmax - Utilties/3dsmax (animation import/export?)
  • 'AlienFX SDK' - Game_test (so, unused?)
  • cg - Game_test, GetTex, StreamingClientPrototype
  • cryptopp - all over the place
  • DirectX - GetVrml, libs/crashrpt
  • DoubleFusion - Game_test
  • fmod - not used!
  • freetype - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • freetype-2.1.9 - not used!
  • gc-7.2alpha6 - not used!
  • glew - Game, Game_test, GetTex, StreamingClientPrototype
  • IJGWin32 - CostumeCreator, Game
  • jpgdlib - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • libcubemapgen - Game, Game_test
  • libiconv - StructParser
  • libxml2 - StructParser
  • lua-5.1.5 - MapServer
  • nvcpl - Game_test
  • nvdxt - not used!
  • nvidia-texture-tools-2.0.7-1 - GetTex, StreamingClientPrototype
  • nvparse - CostumeCreator, Game
  • nvperf - Game_test
  • oggvorbis - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • PhysX - Game_test, mapserver_test
  • UnitTest++ - mapserver_test, PropertySheets/unitTest.vsprops
  • VTune - CostumeCreator, dbquery_test, Game_test, mapserver_test, RaidServer_test, StatServer_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • wtl70 - libs/crashrpt
  • yajl - AccountServer
  • zeromq2-1 - AccountServer, dbserver, MapServer
  • zlibsrc - all over the place

cryptopp and zlib are used everywhere. @Cattan's already updated zlib, but we really need to update cryptopp ASAP.

If the *_test projects aren't actually useful (they link in UnitTest++, but there don't appear to be any unit tests in the code?) we could eliminate some additional unused code.

AuthServer

  • Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
  • cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
  • Need to make it use zlib, etc. from 3rdparty instead of the local duplicates so we can upgrade things sanely.

Game

  • Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...