The lovetender!

[-Jetz-]

Even if you block functions, people can create their own. There is no way to create an effective script maker that is exploit free.

Using an exploit in a chat-based-math-bot in Age of Time we managed to completely screw up one guy's game by changing all his graphic and network settings. You don't need functions to break something.

[Ad Bot]

[goz3rr]

I've kinda updated the process:

1. Check if player has upload rights
2. Check for blacklisted functions (Clientside, Default blacklist)
3. Upload script to server
4. Check for blacklisted functions (Serverside, Custom blacklist)
5. If enabled -> Approve by Host
6. Check if player has exec rights
7. Exec script on the server.

[RFW2]

Make host-only, good idea.

[goz3rr]

Make host-only, good idea.

There will be an pref to set acces, Including Host only

[Truce]

Make host-only, good idea.

See: The console.

[300spartan]

Basically Eval in a GUI.

Nice, DL link? :p

[SkullCandy]

Basically Eval in a GUI.

Nice, DL link? :p

It's not even finished yet...

[goz3rr]

I'm not planning to use the Eval command.
This is both an client and server sided mod:

Clientside it's only possible to create scripts.

Serverside, This is where the magic happens, All the security checks take place here, And if the script/client passes them, The script gets uploaded to the server and saved, This allowed executing of scripts made by others and stored on the server.

[ShadowZero]

I still think this is a bad Idea though.

[Tom]

I would like to see a checking system that can stop pretty much every threat and not pass anything that is not malicious.

[Ephialtes]

I would like to see a checking system that can stop pretty much every threat and not pass anything that is not malicious.

You genuinely think a script is capable of flawlessly identifying the malicious intentions of a piece of code?

Upon further consideration I'm going to be failing this should it make it to the Add-Ons forum at all.

[goz3rr]

I would like to see a checking system that can stop pretty much every threat and not pass anything that is not malicious.

You genuinely think a script is capable of flawlessly identifying the malicious intentions of a piece of code?

Upon further consideration I'm going to be failing this should it make it to the Add-Ons forum at all.

It's called antivirus, And it exists already...
Probably, It won't be possible to block all malcious scripts, But just a blacklist would work..
Also, It's very easy to make something that finds while's, And checks for infinite loops.

[Ephialtes]

It's called antivirus, And it exists already...

Anti-virus does not work out the intentions of a piece of code. People do, and then tell the program how to find those. Unless you plan to release daily patches for this to fix every method people use to bypass your amazing security then I can't see this working at all.

Also, It's very easy to make something that finds while's, And checks for infinite loops.

Yeah I bet it is.

Code: [Select]

$a = "1){}";
$b = "le(";
$c = "whi";
eval($c @ $b @ $a);


Code: [Select]

for(%i=0;%i<20;%i++)
{
   %i--;
}

[goz3rr]

You couldn't figure out eval would be blacklisted?
Also, I'll write a little snippet that checks for loops like that.

[Ephialtes]

Also, I'll write a little snippet that checks for loops like that.

Seriously? How about:

Code: [Select]

$a = 5;
$b = 3;
while($a > $b)
{
    $a++;
    $b++;
}
There are an infinite number of ways to bypass your "checks" - don't pretend otherwise.