Forum

> > CS2D > General > ATTENTION! Don't run maps you've downloaded!
Forums overviewCS2D overviewGeneral overviewLog in to reply

English ATTENTION! Don't run maps you've downloaded!

46 replies
Page
To the start Previous 1 2 3 Next To the start

old ATTENTION! Don't run maps you've downloaded!

ohaz
User On Online

Quote
Don't run maps you've downloaded from servers until further notice please. There is a pretty serious bug (which I don't want to show here because it would just increase the amount of servers abusing it) which could cause huge problems for you (like viruses or other stuff).
I've messaged user DC about it and hope that he'll fix it soon.

UNTIL IT'S FIXED: Please DON'T start maps you've downloaded from servers on your pc / server! It's for your own safety!

old Re: ATTENTION! Don't run maps you've downloaded!

DC
Admin Off Offline

Quote
This can only be a problem when you host your own server with a map you downloaded. You shouldn't do this unless you are 100% sure that the map is safe.

Playing on random servers with random downloaded maps is safe. Only being a server can be dangerous. On Linux: Don't run the server as root. Create a new user which has only access to the CS2D folder. On Windows: Well.. you shouldn't run CS2D servers with downloaded maps at Windows at all unless you are sure they are safe.

old Re: ATTENTION! Don't run maps you've downloaded!

ohaz
User On Online

Quote
user Zeik has written
And how do you notice if you're a victim of whatever could happen?? You should give more info about this I think..
There is no real way to find out, sadly. There are a lot of ways to abuse this bug. Best try to use your anti-virus and scan your pc.
You could look at all the maps you've run in the editor and check them for strange code in "trigger_if"s

old Re: ATTENTION! Don't run maps you've downloaded!

Yates
Reviewer Off Offline

Quote
user DC has written
This can only be a problem when you host your own server with a map you downloaded. You shouldn't do this unless you are 100% sure that the map is safe.

So are you even going to fix this? Better fix it now, or totally remove it before idiots start abusing this.

old Re: ATTENTION! Don't run maps you've downloaded!

Starkkz
Moderator Off Offline

Quote
user Yates has written
So are you even going to fix this? Better fix it now, or totally remove it before idiots start abusing this.


I've made a simple script that should lock Trigger_If's from using OS/IO table and its functions, but allowing it to use the actual functions of the main Lua state. Anyway, it could still be hacked somehow, but it's safer now.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
TriggerMeta = {}
function TriggerMeta.__index(t,k)
	if k == "os" or k == "io" then
		return nil
	elseif k == "_G" then
		return t
	end
	return _G[k]
end

function TriggerMeta.__newindex(t,k,v)
	if k == "os" or k == "io" then
		return nil
	end
	_G[k] = v
end

addhook("triggerentity","trigger_if")
function trigger_if(x,y)
	if entity(x, y, "typename") == "Trigger_If" then
		local FunctionEnvironment = {}
		setmetatable(FunctionEnvironment, TriggerMeta)

		local Script = loadstring("return "..entity(x, y, "str0"))
		setfenv(Script, FunctionEnvironment)

		local Success, Error = pcall(Script)
		if Success then
			parse("trigger "..entity(x, y, "trigger"))
		elseif Error then
			print("©255000000LUA ERROR: entity("..x..","..y.."): "..Error)
		end
		return 1
	end
end
Something similar could be implemented for the maps inside CS2D's source code.

old Re: ATTENTION! Don't run maps you've downloaded!

KimKat
GAME BANNED Off Offline

Quote
@user DC: Not only Linux based systems has file permissions though. You could create a user with read only privileges for specific applications and folders in Windows. That's why I look at this with sceptism because it's not really more than a false positive. You can simply secure your CS2D folder by applying appropriate file/folder permissions to fix the problem. You can even make, so that CS2D executable can't write to anywhere else but it's own directories, so yea... just saying. I would consider it a rather harmless threat from my knowledge but yea it's indeed pretty bad for people with PC's running on administrator accounts or the likes, so that could be the only problem.
To the start Previous 1 2 3 Next To the start
Log in to replyGeneral overviewCS2D overviewForums overview