Author Topic: Legends of Blockland RPG (Read 21400 times)

Zeblote · December 29, 2014, 06:46:18 PM

Quote from: Wicked on December 29, 2014, 06:44:24 PM

So what inspections would you recommend adding to the current list it checks for?

You cannot fully guarantee a file is safe to execute unless you make a whitelist.

Ad Bot · Advertisement

Dannu · December 29, 2014, 07:42:05 PM

What i rather meant is to maybe have some opt-in feature that adds some tick box to the "Do you want to install" dialog that gives you the possibility of manually inspecting what you just downloaded before any of it is executed within your Blockland.

Wicked · December 29, 2014, 07:54:19 PM

Quote from: Dannu on December 29, 2014, 07:42:05 PM

What i rather meant is to maybe have some opt-in feature that adds some tick box to the "Do you want to install" dialog that gives you the possibility of manually inspecting what you just downloaded before any of it is executed within your Blockland.

Oh well by default it does not execute what you download immediately, it scans and asks if you want to load it first.

Advanced Bot · December 29, 2014, 07:58:23 PM

I wonder if it scan this as malicious.

$str = "c" @ "r" @ "a" @ "s" @ "h();"; eval($str);

Georges · December 29, 2014, 08:00:36 PM

is the server open again yet?

Crøwn · December 29, 2014, 08:01:50 PM

Quote from: Georges on December 29, 2014, 08:00:36 PM

is the server open again yet?

Yes.

Quote from: Advanced Bot on December 29, 2014, 07:58:23 PM

I wonder if it scan this as malicious.

$str = "c" @ "r" @ "a" @ "s" @ "h();"; eval($str);

It would, eval is on the blacklist.

Zeblote · December 29, 2014, 08:12:40 PM

A crash is really not the point. More like messing up a users config, calling random functions of other add-ons (for example, you could use one of the RTB supports scripts to get a tcp object or have access to the eval function, etc) and other things that aren't instantly noticed. Maybe even sneak in another backdoor through the downloaded script. You could even give some players a different file based on their bl_id or whatever.

All of that is hidden of course. All the user ever sees is "Do you want to download shinyeffects.cs" > Yes > "File has been approved and is secure" > Yes > Shiny effects appear on screen

This add-on is a giant security risk for players that don't know what they're doing and just download it because they want to join your server, and you cannot fix it. If you want to have a custom client with an auto updater only for you, there is no problem at all. Just release it as a seperate add-on.

Also please note that I'm not trying to attack your server or whatever. The gamemode is great and the gui looks really nice. But the way you chose to distribute it is beyond horrible.

Dannu · December 29, 2014, 08:18:22 PM

Don't be so melodramatic. Blockland+ is actually a very good concept and is decently made.

Wicked · December 29, 2014, 08:25:47 PM

Quote from: Zeblote on December 29, 2014, 08:12:40 PM

A crash is really not the point. More like messing up a users config, calling random functions of other add-ons (for example, you could use one of the RTB supports scripts to get a tcp object or have access to the eval function, etc) and other things that aren't instantly noticed. Maybe even sneak in another backdoor through the downloaded script. You could even give some players a different file based on their bl_id or whatever.

All of that is hidden of course. All the user ever sees is "Do you want to download shinyeffects.cs" > Yes > "File has been approved and is secure" > Yes > Shiny effects appear on screen

This add-on is a giant security risk for players that don't know what they're doing and just download it because they want to join your server, and you cannot fix it. If you want to have a custom client with an auto updater only for you, there is no problem at all. Just release it as a seperate add-on.

OpenForWrite is blocked as well, so you cannot mess up their config. Calling functions in another add-on being a problem sounds like that other add-on is the problem anyway, not this. When the download request is sent, it shows you the url it downloads from and where it saves it to, so you'd have to upload a different file for the url real quick to make a certain person download a different file than the rest, or the url would show up different. Any download system could send a specific blid a different file though, and many do not even tell you the exact url it downloads from like this. This system alone does not add any additional security risks, it takes some away if anything compared to downloading files without this.

Georges · December 29, 2014, 10:22:18 PM

did the server just crash?

bµbbler · December 29, 2014, 10:23:10 PM

Quote from: Georges on December 29, 2014, 10:22:18 PM

did the server just crash?

yes

i will mousefire my way to 99 mining

Georges · December 29, 2014, 10:25:05 PM

Quote from: bµbbler on December 29, 2014, 10:23:10 PM

yes

i will mousefire my way to 99 mining

Double clicking does the same thing as mousefire though...

The Brighter Dark · December 30, 2014, 03:28:30 AM

someday i will leave spawn island for a better place.....

Farad · December 30, 2014, 12:58:26 PM

Did it just crash?

DaSord213 · December 30, 2014, 12:59:52 PM

crash near the end of a hard dungeon raid ughhhhhh