Tillmen
01-03-2010, 05:19 PM
Lich 4.0.23 is up and brings the trusted script system closer to being ready, but it needs testing to see how much people will freak out when it goes live.
I intend to make all script untrusted by default, and users will have to type ";trust <scriptname>" to make a script trusted. Right now, all scripts are trusted by default, and you can see how the script will act as an untrusted script by typing ";distrust <scriptname>".
An untrusted script should not be able to access any file it wants. I put in workarounds to allow them to load the map database, spell list, save/load using the settings class, and start other scripts. Also, an untrusted script will not be able to add a DownstreamHook.
Exec scripts will be trusted by default, because you generally have to type the exec script in yourself. However, if an untrusted script starts an exec script, the exec script will run as an untrusted script.
The purpose of all this is to keep malicious scripts from being able to screw up your computer. Mostly, it's just to keep scripts from being able to steal your password so I can make the quick game entry save passwords, and allow login with one click. However, if you insist on running scripts without reading them, they will still be able to report any variety of profanity at GM's, and there's really nothing I can do about that. At lest with DownstreamHooks disabled for untrusted scripts, the script won't be able to hide the fact that it's doing it.
I need people to try to find a hole in the system that allows an untrusted script to do something malicious. Of course, this doesn't include sending commands to the game. An example would be: untrusted scripts are able to change the map database and add a mini-script direction. Later, a trusted script could call the malicious mini-script in the map database. This hole was filled by making all StringProcs (mini-scripts) run as untrusted, even if called by a trusted script.
I also need to know if more workarounds are needed to allow untrusted scripts to do normal things. For example, "eval(Spell[num].cost)" wasn't allowed until I put a workaround in. I don't want this system to require so many scripts to be trusted as to make it useless.
So far,
go2 seems to work fine as an untrusted script
autoforage works as an untrusted script
infomon needs to be trusted so that it can load and save spell_ranks.txt
updater needs to be trusted, as all it does is deal with files
Most of SpiffyJr's and Azanoths scripts don't seem to work as untrusted
optimus looks like it would work as untrusted if you comment out the part where it checks if wander.lic exists
wander works as untrusted
not too sure about other scripts
I intend to make all script untrusted by default, and users will have to type ";trust <scriptname>" to make a script trusted. Right now, all scripts are trusted by default, and you can see how the script will act as an untrusted script by typing ";distrust <scriptname>".
An untrusted script should not be able to access any file it wants. I put in workarounds to allow them to load the map database, spell list, save/load using the settings class, and start other scripts. Also, an untrusted script will not be able to add a DownstreamHook.
Exec scripts will be trusted by default, because you generally have to type the exec script in yourself. However, if an untrusted script starts an exec script, the exec script will run as an untrusted script.
The purpose of all this is to keep malicious scripts from being able to screw up your computer. Mostly, it's just to keep scripts from being able to steal your password so I can make the quick game entry save passwords, and allow login with one click. However, if you insist on running scripts without reading them, they will still be able to report any variety of profanity at GM's, and there's really nothing I can do about that. At lest with DownstreamHooks disabled for untrusted scripts, the script won't be able to hide the fact that it's doing it.
I need people to try to find a hole in the system that allows an untrusted script to do something malicious. Of course, this doesn't include sending commands to the game. An example would be: untrusted scripts are able to change the map database and add a mini-script direction. Later, a trusted script could call the malicious mini-script in the map database. This hole was filled by making all StringProcs (mini-scripts) run as untrusted, even if called by a trusted script.
I also need to know if more workarounds are needed to allow untrusted scripts to do normal things. For example, "eval(Spell[num].cost)" wasn't allowed until I put a workaround in. I don't want this system to require so many scripts to be trusted as to make it useless.
So far,
go2 seems to work fine as an untrusted script
autoforage works as an untrusted script
infomon needs to be trusted so that it can load and save spell_ranks.txt
updater needs to be trusted, as all it does is deal with files
Most of SpiffyJr's and Azanoths scripts don't seem to work as untrusted
optimus looks like it would work as untrusted if you comment out the part where it checks if wander.lic exists
wander works as untrusted
not too sure about other scripts