Blockland Forums > Modification Help
Looping a function
Headcrab Zombie:
--- Quote from: Uristqwerty on November 17, 2011, 07:31:30 PM ---Please don't use eval, except as a very last resort. It greatly increases the chance of unintentionally creating a security flaw.
--- End quote ---
It's only an issue if the client has some sort of way to directly change what is eval'd, and you don't do anything to prevent the exploit
But in this case eval isn't necessary
soba:
This is what I use
--- Code: ---function ServerCmdTestLoop(){
//Stuff
schedule(33,0,ServerCmdTestLoop);
}
--- End code ---
Nexus:
--- Quote from: Uristqwerty on November 17, 2011, 07:31:30 PM ---Please don't use eval, except as a very last resort. It greatly increases the chance of unintentionally creating a security flaw.
--- End quote ---
This is a function to loop an ambiguous function. It is much more useful than your version. I should have included something to stop the loop, but I typed it up in like 20 seconds.
--- Quote from: Greek2me on November 17, 2011, 07:25:52 PM ---Anyway, you just need to cancel your schedule at the beginning of the function.
--- End quote ---
Then it defeats the purpose of having a universal function looper if it doesn't support multiple simultaneous looping functions. However, in most cases that is correct.
Edit: Thinking this over some more, I am not sure if having a schedule not parented to an object or variable is a good idea. I might do something like %loop = schedule(hocus pocus); then send that as an argument to have cancelled. Or wait that would mean %loop = schedule(%delay, 0, %code, %delay, %loop); and you can't send the schedule in that schedule. Damn this is odd. So I would have a loopingSO and have like loopingso.loop[%id] and I could just send the ID and omg this is suprisingly complicated.
--- Quote from: soba on November 17, 2011, 08:44:24 PM ---This is what I use
--- Code: ---function ServerCmdTestLoop(){
//Stuff
schedule(33,0,ServerCmdTestLoop);
}
--- End code ---
--- End quote ---
Yea you just need something to stop the loop and you should be just fine with that. Probably just a simple
--- Code: ---if(!$islooping)return;
--- End code ---
should work fine.
Uristqwerty:
Let me count the fails here:
[*]function loop
Name is far too generic, function far too specific, likely to cause conflicts with other mods. But if you rename it to something less collision-friendly, then why write a generic function at all?
[*]eval(%code);
Unless you can prove that %code can never contain an exploit, you shouldn't use it. If you don't have the experience required to make such a guarantee, you shouldn't use it, in case you are wrong. Suggesting the use of eval() to anyone less than an extremely experienced coder is sharing a bad practice and encouraging exploitable code. And even they can make mistakes...
[*]$MySchedule
Global, potential name conflict, though as long as you don't call it something like $test, shouldn't be a problem.
[*]universal function looper
A universal function looper only needs call(). What you have is a universal code looper. Also, that universal part? It's more universal than you seem to believe. What if I wrote my own copy of loop() that took an extra parameter of how many times to run? Then whichever add-on was loaded last overwrites the other version. Suddenly my "loop 5 times, 10 seconds apart" calls become "loop infinite times, 10 seconds apart, until the game is closed". Or your "loop endlessly" calls happen 0 times. If you are lucky, I wrote my version to treat "" as "unlimited", and mine was loaded last, so nothing breaks.
The big problem here is encouraging the use of dangerous code without ever mentioning that it can be dangerous at all, and when/why. Oh, and then giving it out as an answer to copy/paste to someone who is likely to be new enough to coding that they don't realize that that sort of code can even BE dangerous.
Oh, and, due to an eval exploit in an add-on that I shall not name until the creator has fixed it, I literally could write a virus. Imagine if anyone joining your server while you have a certain add-on enabled can execute arbitrary code, infecting the server. Next time you join a server afterwards, you'll automatically try to infect the server the same way you were infected previously. This is because somebody who clearly understood what they were doing missed a single very obscure code path that bypassed their otherwise working filter system, so that malicious code made it into an eval() call intact.
Oh, and note that the only reason that the exploit in question works is that the coder decided to implement a form of reflection through eval, to make their code all nice and elegant and stuff. They could easily have written a few ugly but completely safe functions that didn't use eval, and replaced the eval lines with them. Do you choose to risk it? I wouldn't, as there are undoubtably others who can find that same flaw, and they might choose to exploit it, rather then report it.
Greek2me:
--- Quote from: Uristqwerty on November 17, 2011, 10:27:18 PM ---Let me count the fails here:
[*]$MySchedule
Global, potential name conflict, though as long as you don't call it something like $test, shouldn't be a problem.
--- End quote ---
Are you kidding me? If you don't even realize that that's just an example...
Who are you by the way? Your avatar is very familiar.