Wad Hashes aren't always checked clientside
When trying Freedoom 0.11.3 on my server, I noticed my client who was using Freedoom 0.9 was able to connect with no issue at all, while it was seriously outdated.
As a result, it messed up the client view completely. Adding the MD5 hashes to the client & server didn't fix anything.
This is a huge security flaw, making any client with slightly modified IWADs be able to mess with the clients (or the other way around). Apparently, it was done in the past, but I don't seem to check anything about it in the source code.
Is it entirely normal ?
Steps to reproduce :
1) Create 2 folders: one for the client, one for the server.
2) on the server, add Freedoom1.wad version 0.9 (easier to notice since maps are different) . Clientside, add Freedoom1.wad version 0.11.3.
3) Create a server (using the default config is enough) with Freedoom1.wad
4) Client should run it like that : Odamex.exe -connect localhost
The server accepts the client even if the IWAD is different.
HOWEVER, If you try to join using Odalaunch, it'll throw an error.