GM Command hardening

FallenDev · FallenDev · commit ce4ca7a80b66 · 2026-01-27T23:25:32.000-05:00
diff --git a/Zolian.Server.Base/Network/Server/WorldServer.cs b/Zolian.Server.Base/Network/Server/WorldServer.cs
@@ -1057,6 +1057,13 @@ bool ParseCommand()
             {
                 if (!localClient.Aisling.GameMaster) return false;
                 if (!localArgs.Message.StartsWith("/")) return false;
+
+                var ipLocal = IPAddress.Parse(ServerSetup.Instance.InternalAddress);
+
+                if (!GameMastersIPs.Any(ip => client.RemoteIp.Equals(IPAddress.Parse(ip)))
+                    && !IPAddress.IsLoopback(client.RemoteIp) && !client.RemoteIp.Equals(ipLocal))
+                    return false;
+
                 Commander.ParseChatMessage(localClient.Aisling.Client, localArgs.Message);
                 return true;
             }
@@ -1275,6 +1282,7 @@ private static async ValueTask LoadAislingAsync(IWorldClient client, IRedirect r
             {
                 var ipLocal = IPAddress.Parse(ServerSetup.Instance.InternalAddress);
 
+                // If not from GM IPs, loopback, or local IP, disconnect
                 if (!GameMastersIPs.Any(ip => client.RemoteIp.Equals(IPAddress.Parse(ip)))
                     && !IPAddress.IsLoopback(client.RemoteIp) && !client.RemoteIp.Equals(ipLocal))
                 {

Original file line number	Diff line number	Diff line change
`@@ -1057,6 +1057,13 @@ bool ParseCommand()`
`1057`	`1057`	`{`
`1058`	`1058`	`if (!localClient.Aisling.GameMaster) return false;`
`1059`	`1059`	`if (!localArgs.Message.StartsWith("/")) return false;`
	`1060`	`+`
	`1061`	`+ var ipLocal = IPAddress.Parse(ServerSetup.Instance.InternalAddress);`
	`1062`	`+`
	`1063`	`+ if (!GameMastersIPs.Any(ip => client.RemoteIp.Equals(IPAddress.Parse(ip)))`
	`1064`	`+ && !IPAddress.IsLoopback(client.RemoteIp) && !client.RemoteIp.Equals(ipLocal))`
	`1065`	`+ return false;`
	`1066`	`+`
`1060`	`1067`	`Commander.ParseChatMessage(localClient.Aisling.Client, localArgs.Message);`
`1061`	`1068`	`return true;`
`1062`	`1069`	`}`
`@@ -1275,6 +1282,7 @@ private static async ValueTask LoadAislingAsync(IWorldClient client, IRedirect r`
`1275`	`1282`	`{`
`1276`	`1283`	`var ipLocal = IPAddress.Parse(ServerSetup.Instance.InternalAddress);`
`1277`	`1284`
	`1285`	`+ // If not from GM IPs, loopback, or local IP, disconnect`
`1278`	`1286`	`if (!GameMastersIPs.Any(ip => client.RemoteIp.Equals(IPAddress.Parse(ip)))`
`1279`	`1287`	`&& !IPAddress.IsLoopback(client.RemoteIp) && !client.RemoteIp.Equals(ipLocal))`
`1280`	`1288`	`{`