Upvote Upvoted 41 Downvote Downvoted
RGL Site Problems
1
#1
0 Frags +

Making a thread bc there will probably be more

- Get SSL - actually free (https://letsencrypt.org/getting-started/)
- Don't let teams schedule matches at the exact same time - we have 2 matches Tuesday at 10:30 rn. We can't counter offer because the other team accepted.
- Add a "Decline offer" button to match offers, you can only accept or counter, even if the date's already been set
- Don't let team admins change player's profile names
- Send an email when you get a match offer bc you actually can't expect us to check the page constantly
- Broken links and wrong config on map pages http://sixes.rgl.gg/Public/Maps.aspx?m=25
- Your username sanitization is broken, try changing your name to have < in the middle
- You're trying to load signalr hubs from the wrong place, should be http://sixes.rgl.gg/signalr/hubs instead of http://cdn.rgl.gg/signalr/hubs

Making a thread bc there will probably be more

- Get SSL - actually free (https://letsencrypt.org/getting-started/)
- Don't let teams schedule matches at the exact same time - we have 2 matches Tuesday at 10:30 rn. We can't counter offer because the other team accepted.
- Add a "Decline offer" button to match offers, you can only accept or counter, even if the date's already been set
- Don't let team admins change player's profile names
- Send an email when you get a match offer bc you actually can't expect us to check the page constantly
- Broken links and wrong config on map pages http://sixes.rgl.gg/Public/Maps.aspx?m=25
- Your username sanitization is broken, try changing your name to have < in the middle
- You're trying to load signalr hubs from the wrong place, should be http://sixes.rgl.gg/signalr/hubs instead of http://cdn.rgl.gg/signalr/hubs
2
#2
15 Frags +

Maybe I'm an idiot but I think its way too hard to figure out what version of the custom maps we use

Maybe I'm an idiot but I think its way too hard to figure out what version of the custom maps we use
3
#3
6 Frags +

The custom map problem exists for us as well. I eventually tracked down a map list in one of the blog posts on the website but even then the only place I could find info about clearcut using a new version was in the rgl fee due date thread.

The custom map problem exists for us as well. I eventually tracked down a map list in one of the blog posts on the website but even then the only place I could find info about clearcut using a new version was in the rgl fee due date thread.
4
#4
37 Frags +

admins can log in as players and make changes appearing as them.

admins can log in as players and make changes appearing as them.
5
#5
4 Frags +

Wrong match times are listed and I can't choose what match comms I'm commenting on on mobile.

Wrong match times are listed and I can't choose what match comms I'm commenting on on mobile.
6
#6
2 Frags +

Clearcut_B13 will be the one used during week 6. Any other version is vastly different.

In case you need a link: https://tf2maps.net/downloads/clearcut.5682/

Clearcut_B13 will be the one used during week 6. Any other version is vastly different.

In case you need a link: https://tf2maps.net/downloads/clearcut.5682/
7
#7
24 Frags +
Air_admins can log in as players and make changes appearing as them.

Not sure what's worse
- no SSL on a site involving money
- admins either bypassing steam login
- or admins having access to steam login

[quote=Air_]admins can log in as players and make changes appearing as them.[/quote]
Not sure what's worse
- no SSL on a site involving money
- admins either bypassing steam login
- or admins having access to steam login
8
#8
23 Frags +
Air_admins can log in as players and make changes appearing as them.

thought id throw in the related screencaps for this incase there might be any disbelief

https://i.gyazo.com/fe416fa1db32b2df2eaf6ae931a3a857.png

https://steamuserimages-a.akamaihd.net/ugc/773976175402539955/AB4F54F238DBC3EC5D825590E3B620AEE4B5C028/

keep in mind reyylin wasn't on his computer for personal reasons at the time of this screencap

780 also was unaware of this

[quote=Air_]admins can log in as players and make changes appearing as them.[/quote]
thought id throw in the related screencaps for this incase there might be any disbelief
[img]https://i.gyazo.com/fe416fa1db32b2df2eaf6ae931a3a857.png[/img]

[img]https://steamuserimages-a.akamaihd.net/ugc/773976175402539955/AB4F54F238DBC3EC5D825590E3B620AEE4B5C028/[/img]

keep in mind reyylin wasn't on his computer for personal reasons at the time of this screencap

780 also [url=https://gyazo.com/b6c0aed39dabe9edf3f4eab48c10a599]was unaware[/url] of this
9
#9
0 Frags +

probably get a faster response on rgl discord, there used to be a bug report channel. id just link this there but im at work

probably get a faster response on rgl discord, there used to be a bug report channel. id just link this there but im at work
10
#10
serveme.tf
5 Frags +

Just having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.

Now not having SSL, either by simply adding cloudflare (probably a good idea for a league site anyway due to DDoS protection) or getting a free cert from letsencrypt, is mind boggling.

- Your username sanitization is broken, try changing your name to have < in the middle

What happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?

Just having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.

Now not having SSL, either by simply adding cloudflare (probably a good idea for a league site anyway due to DDoS protection) or getting a free cert from letsencrypt, is mind boggling.

[quote]- Your username sanitization is broken, try changing your name to have < in the middle[/quote]
What happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?
11
#11
11 Frags +
Arie- Your username sanitization is broken, try changing your name to have < in the middleWhat happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?

From what I guessed off this comment, the site prevents you from using certain characters (i.e.: < and > would disappear when you submit)
There's still XSS potential if the HTML templates don't do any sanitization, which is possible if the dev just believes it's not a risk since it's "impossible" to submit something unsafe

EDIT: nvm from comment below it looks like a Yikes

I'm a freelance webdev and sysadmin if you guys need, can also do consulting and infosec :^)

[quote=Arie][quote]- Your username sanitization is broken, try changing your name to have < in the middle[/quote]
What happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?[/quote]
From what I guessed off this comment, the site prevents you from using certain characters (i.e.: < and > would disappear when you submit)
There's still XSS potential if the HTML templates don't do any sanitization, which is possible if the dev just believes it's not a risk since it's "impossible" to submit something unsafe

EDIT: nvm from comment below it looks like a Yikes

I'm a freelance webdev and sysadmin if you guys need, can also do consulting and infosec :^)
12
#12
3 Frags +
ArieJust having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.

Now not having SSL, either by simply adding cloudflare (probably a good idea for a league site anyway due to DDoS protection) or getting a free cert from letsencrypt, is mind boggling.
- Your username sanitization is broken, try changing your name to have < in the middleWhat happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?

Haven't poked at it, but wouldn't surprise me if there's XSS somewhere seeing as it fails a simple test case

[quote=Arie]Just having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.

Now not having SSL, either by simply adding cloudflare (probably a good idea for a league site anyway due to DDoS protection) or getting a free cert from letsencrypt, is mind boggling.

[quote]- Your username sanitization is broken, try changing your name to have < in the middle[/quote]
What happens? Is this a potential XSS issue? Has anyone changed name to <script>alert("hi");</script> yet?[/quote]

Haven't poked at it, but wouldn't surprise me if there's XSS somewhere seeing as it fails a simple test case
13
#13
14 Frags +

sigafoo just pay twiikuu to do the website please

sigafoo just pay twiikuu to do the website please
14
#14
3 Frags +

http://sixes.rgl.gg/Public/Articles/Default.aspx?a=1285 some changes

http://sixes.rgl.gg/Public/Articles/Default.aspx?a=1285 some changes
15
#15
14 Frags +
ArieJust having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.

absolutely no reason to have it appear as if reyylin or 780 did anything, just have it say "approved by admin" instead of the playername

[quote=Arie]Just having the feature of logging in as another user as an admin isn't a huge deal in my opinion. As long as you make sure the actions done by these admins are logged properly it's a very handy tool to help customers. Has to be used responsibly obviously.
[/quote]

absolutely no reason to have it appear as if reyylin or 780 did anything, just have it say "approved by admin" instead of the playername
16
#16
11 Frags +

There is round off error in the computation of match points. We just lost a match 3-4 and our points should've been 1 since loser points = ((Losing Team Rounds Won)/(Winning team rounds won - 1)) = 3/3. Somehow this computes to 0.99 and the opponents won 2.01. Probably not a super big deal now but if there's computational errors like this this can add up over the course of the season.

There is round off error in the computation of match points. We just lost a match 3-4 and our points should've been 1 since loser points = ((Losing Team Rounds Won)/(Winning team rounds won - 1)) = 3/3. Somehow this computes to 0.99 and the opponents won 2.01. Probably not a super big deal now but if there's computational errors like this this can add up over the course of the season.
17
#17
5 Frags +
guacThere is round off error in the computation of match points. We just lost a match 3-4 and our points should've been 1 since loser points = ((Losing Team Rounds Won)/(Winning team rounds won - 1)) = 3/3. Somehow this computes to 0.99 and the opponents won 2.01. Probably not a super big deal now but if there's computational errors like this this can add up over the course of the season.

Fixed your score. I'll look into this tomorrow, should be a very small fixed and corrected for the next matches. Schedules go up tomorrow.

If anyone else runs into site issues, the best way to get it resolved is either by contacting me directly on discord (sigafoo#0685) or posting in our #help discord channel. Generally, we respond within minutes.

[quote=guac]There is round off error in the computation of match points. We just lost a match 3-4 and our points should've been 1 since loser points = ((Losing Team Rounds Won)/(Winning team rounds won - 1)) = 3/3. Somehow this computes to 0.99 and the opponents won 2.01. Probably not a super big deal now but if there's computational errors like this this can add up over the course of the season.[/quote]

Fixed your score. I'll look into this tomorrow, should be a very small fixed and corrected for the next matches. Schedules go up tomorrow.

If anyone else runs into site issues, the best way to get it resolved is either by contacting me directly on discord (sigafoo#0685) or posting in our #help [url=http://RGL.gg/PUGs]discord channel[/url]. Generally, we respond within minutes.
Please sign in through STEAM to post a comment.