File Commands
SparkyMcSparks
Join Date: 2010-04-12 Member: 71347Members
Join Date: 2010-04-12 Member: 71347Members
in Modding
Comments
But.. in terms of your objective, I agree that there will be a need for some kind of persistence mechanism for lua scripts.
Anyway, I completely agree with this idea. .txt files are good for logs, client-side data storage, stuff and more stuff. They could even be used as a database for the server if you are lazy and dont want to learn mysql (its simple btw (atleast the actual coding part)). Gmod has built-in support for litesql (great database support for a server, unless you want it easy to mod via notepad, or need server to server support (and then you use sql modules you can dl)).
So if you ask me, definitely add txt support, and preferably also sql (both lite and normal).
If you allow arbitrary read/write access to your computer from a Script, it opens up the doors for all sorts of maliscious activity. Say you download a super cool mod that adds some neat feature X. Being the trustworthy gamer that you are, you don't even think about what the modification actually does, only what its supposed to do. You install it, start your game and the script runs.
Oops. A virus is downloaded from the script using the Games built-in socket and is written to your computer which in turn infects your machine, steals your passwords and keys, and proceeds to delete key files.
This is why they <b>have</b> to wrap all hardware accessing methods so they can only be used for specific purposes as well as not allow any custom DLLs.
Even faster than hard disk file access.
That would also be able to supply multiple servers with that information.
Try to sync a txt file over multiple machines. Without backdoors opening up.
Good luck.
If we can write data to a clients options XML, I guess that is a good direction to start off with.
<b>Main.SetOptionString( <!--coloro:#FFC0CB--><span style="color:#FFC0CB"><!--/coloro-->"gameplay/"<!--colorc--></span><!--/colorc--> .. "HighScore", 1337)</b>
Then you can easily pull that up in Lua minutes/ hours/ days after the game has been turned off many times...
<b><!--coloro:#0000FF--><span style="color:#0000FF"><!--/coloro-->local <!--colorc--></span><!--/colorc-->value = Main.GetOptionString( <!--coloro:#FFC0CB--><span style="color:#FFC0CB"><!--/coloro-->"gameplay/"<!--colorc--></span><!--/colorc--> .. "HighScore", "" )</b>
Oops. A virus is downloaded from the script using the Games built-in socket and is written to your computer which in turn infects your machine, steals your passwords and keys, and proceeds to delete key files.
This is why they <b>have</b> to wrap all hardware accessing methods so they can only be used for specific purposes as well as not allow any custom DLLs.<!--QuoteEnd--></div><!--QuoteEEnd-->
How would a .txt writing/reading function be able to do that?
<ol type='1'><li>I am pretty sure passwords and such is not stored in .txt files</li><li>Who the heck let the computer save the passwords? Thats just a huge security flaw.</li><li>provided someone stores such data in a .txt, I still doubt the txt is in the ns2 data folder (or wahtever it will be called).</li><li>To let the person steal the data they would have to make the script read it from the server, then send it to their client, which not only means they must be on same server, but I think it also mean the server need the same addon.</li></ol>
A sql function that can connect to another server would make it possible to send ns2 data to someone else thats not on the server, but then again you would need to start the game with it, and it would only be able to send ns2 data.
Gmod 9 had lua viruses btw, but in gmod 10 it got solved (they can only do stuff ingame and in same folder).
We actually asked Max about it shortly after the engine test launch, and it's apparently planned.. just not a high priority.
1/2: Passwords was just an example. Passwords ARE stored on your computer though, whether they're in a text file or not, they would be able to be accessed. Period. Guess where your Windows password is stored?
3: A virus anywhere on your computer is still a virus. AMIRITE?
4: Maybe you don't quite understand. If you install a script and it executes, it can connect to any arbitrary server which could in turn do anything within the power of the script. If that means the script downloads a series of commands, data chunks, etc. then it can do it. Then, since scripts can arbitrarily write data to a file (be it a .txt or anything that isn't wrapped), a command from a server could then have the script write whatever information it wants to the connected client. There is no same server restrictions here. One or a series of scripts can do this. This is why its important to wrap these types of functions for security, so while having a client execute certain commands based on server data, these commands wouldn't be able to do very much to the client.
true, windows store my login password, but they would need access to my machine to have any use for it. And you can not really trust windows, maybe they do use .txt (doubt it tho). And I know passwords is not the only thing that could be targeted, but its pretty useless for most people to use other data.
But I am quite sure its not stored within the ns2/data folder.
3:
You dont seem to get my point. As I said, the functions would ONLY be able to acces .txt files within the ns2/data folder (like gmod does).
The lua should also only be able to affect stuff in your ns2/ folder, which means it cant add itself to autorun or such (yet another feature gmod made for security). So no, it is not really still a virus, just some malware that is able to mess up your game, read the data you got stored in the game and/or lag /crash it.
I know there is a security flaw with games that let random people code lua for them. I got a lua virus myself years ago when I joined a server in gmod 9. But as you know, gmod 10 fixed this by stopping any viruses from affecting anything but the actuall game, so the worst gmod virus you can get mess up your gmod, but thats very easy to solve by simply delete your gmod and get a clean one (steam recreates it when you start it without the folder).
Therefor a txt lua functions would not be (very) problematic.
But yeah, you might have addons that store client-data you dont want other servers to acces, maybe make a secondary more secure Data folder where you cant get a list of folders in it, so the filepath is like a password (still not very safe for "secret data" though, just harder for other people).
4: This is about server/client architecture. File functions should be server-side, and client-side, but have some restrictions for the client.
A client should only be able to access the data folder on their own computer.
A server should be able to access both clients data folder and its own data folder.
Even if you can open/write/close .txt files, there is still a lot of hardening code that would need to be written and tested to ensure that nobody can escape your constraints. The best approach is to just sandbox the script and let it only access stuff that NS2 exposes via a direct API call.
I love how this Feha who thinks limiting to .txt-files is some hardcore security. Maybe FTP server history shows how hard its to keep filesystem access 100% secure. Proftpd is still keeping up the fight to keep chroot's secure. Maybe you should realize that you are arguing with puzl whos an experienced IT engineer who knows this stuff.
I understand I am not the best guy at security and correct me if I am wrong, but as far as I know, normal .txt files cant be viruses. So what problems do you mean?
I understand I am not the best guy at security and correct me if I am wrong, but as far as I know, normal .txt files cant be viruses. So what problems do you mean?<!--QuoteEnd--></div><!--QuoteEEnd-->
Theoretically, as long as the data can be executed on your computers CPU (each CPU has its owns specific commands, which is why Macs weren't really at risk until they started using Intel CPUs). The only difference between an EXE and a TXT file is that Windows knows that an EXE is an executable file, so it tries to execute it and a TXT file is believed to be just text. You can however, open up an EXE file in Notepad and execute a TXT file.
Also: Keep in mind that the API and the storage are two different things. In Lua, you would use the API to read/write to the storage, whatever that may be. If you know the location of the file that it writes to, you may be able to open it up. If it uses XML, any text editor will do. If NS2 uses a local instance of a database, then that might pose a problem, as it would also most likely prevent external applications of accessing it.
Flat-files with information seperated by commas and semi-colons would work for many, many things, but there is just too much that can go wrong with it when an external user, i.e. a Server, has the ability to write information like that to your computer with your permission, or read from any other text file. Things like INI files (much easier to edit in a text editor, I might add), XML and even a Database Engine, provide security and easy to use storage (not to mention, it would probably be loads faster than processing text files over and over again).
The UnrealEngine has used an INI for everything, as well as provided a mechanism for Logging data. Each class could have its own Config file and almost every data type could be stored. GMod apparently supports serialization, which would work as storage as well, depending on how you set up your classes.
In short, text-editing definitely is easy, but there are better, more efficient, and faster ways to store and manipulate data. If NS2 uses INI or XML files to store data, then the text editor editing route is still open to you. If it uses a Database Engine, that route would probably be closed, but you can always create an editing interface in Lua.