1C Home   |   Register   |   Today Posts   |   Members   |   UserCP   |   Calendar   |   Search   |   FAQ

Go Back   Official 1C Company forum > 1C Publishing > IL-2 Sturmovik: Cliffs of Dover

IL-2 Sturmovik: Cliffs of Dover Latest instalment in the acclaimed IL-2 Sturmovik series from award-winning developer 1C: Maddox Games.

Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-2011, 09:18 PM
fearlessfrog fearlessfrog is offline
Member
 
Join Date: Jul 2010
Posts: 64
Default Please Be Careful With Missions Files

Hi,

I'll post this here on the main forum, as it's not got much traction in the FMB sub-forum:

http://forum.1cpublishing.eu/showthread.php?t=22978

In summary, download mission files from people you have some knowledge about. The scripting of mission in CoD is powerful, but allows bad people to do bad things, i.e. a mission file has permissions to access your other non-CoD files etc.

In the world of sims the chance of anything bad happening is (I think) very, very small, but people need to at least have the info to make their own judgement.

I'm very much enjoying CoD, and hope to see it getting better and better over time, but this type of issue is a real security vulnerability and should be addressed, hopefully quickly.

Thanks.

Last edited by fearlessfrog; 05-22-2011 at 04:09 PM. Reason: Took out MP, left SP vulnerability
Reply With Quote
  #2  
Old 05-22-2011, 10:01 AM
Longbone Longbone is offline
Member
 
Join Date: Aug 2010
Posts: 49
Default

I'm not a C# specialist, is there a chance to make Script's save ?

+1

Thanks for the advice
Reply With Quote
  #3  
Old 05-22-2011, 10:44 AM
Langnasen
Guest
 
Posts: n/a
Thumbs up

Thanks Frog.
Reply With Quote
  #4  
Old 05-22-2011, 10:51 AM
Ralith Ralith is offline
Member
 
Join Date: Aug 2010
Posts: 34
Default

They're not dangerous to clients in the first place; this is just alarmism by people who don't know what they're talking about. Scripts are executed on the server only, and even at their most malicious cannot have any direct effect on clients. Certainly a server admin should be careful about scripts he downloads, as should a regular user running scripted singleplayer missions, but there is NO danger to clients connecting to servers running scripted missions.
Reply With Quote
  #5  
Old 05-22-2011, 11:24 AM
naz naz is offline
Senior Member
 
Join Date: May 2008
Location: Sydney, Australia
Posts: 152
Default

Excuse me if I am misunderstanding Ralith, but are you agreeing that their is indeed potential for malicious single player missions? If so, I hardly think this is alarmist by fearlessfrog.

Many players of the original IL2 seies (including myself) are/were offline players predominantly or solely. I downloaded and played a huge, and I mean huge, amount of missions and campaigns over the ten or so years of IL2. I've even downloaded and played user made missions for CoD already.

If there is indeed a security vulnerability in the way missions (single offline or online) can be built and/or scripted, then it needs to be addressed sooner rather than later.

Again, If I have misunderstood, my apologies, but thanks for pointing it out Frog and I hope Luthier is or becomes aware of the potential issue.
Reply With Quote
  #6  
Old 05-22-2011, 11:43 AM
ZaltysZ's Avatar
ZaltysZ ZaltysZ is offline
Approved Member
 
Join Date: Sep 2008
Location: Lithuania
Posts: 426
Default

SP missions are not sandboxed currently. This means, that mission script can get same rights as an user you use to run a game. So, watch what you download.

MP mission scripts are executed on server, so you should not be exposed to malicious code just by connecting to server. However, there are classes, whose are responsible for briefing and UI elements scripted on server, but displayed on client. Those could be used for malicious stuff, but so far it seems they aren't accessible from scripts (or I simply don't know the way).
Reply With Quote
  #7  
Old 05-22-2011, 11:48 AM
Longbone Longbone is offline
Member
 
Join Date: Aug 2010
Posts: 49
Default

Quote:
Originally Posted by Ralith View Post
They're not dangerous to clients in the first place; this is just alarmism by people who don't know what they're talking about. Scripts are executed on the server only, and even at their most malicious cannot have any direct effect on clients. Certainly a server admin should be careful about scripts he downloads, as should a regular user running scripted singleplayer missions, but there is NO danger to clients connecting to servers running scripted missions.
As for myself I'm playing mostly offline.
That's why I'm asking, is there a way to check downloaded mission's
because I'm no C# expert.Could there be signed system like they do in ARMA missions/addons ?

Sorry for my bad english
Reply With Quote
  #8  
Old 05-22-2011, 11:57 AM
MadTommy MadTommy is offline
Senior Member
 
Join Date: Jan 2011
Posts: 493
Default

Quote:
Originally Posted by ZaltysZ View Post
SP missions are not sandboxed currently. This means, that mission script can get same rights as an user you use to run a game. So, watch what you download.

MP mission scripts are executed on server, so you should not be exposed to malicious code just by connecting to server. However, there are classes, whose are responsible for briefing and UI elements scripted on server, but displayed on client. Those could be used for malicious stuff, but so far it seems they aren't accessible from scripts (or I simply don't know the way).
Thanks ZaltysZ

Quote:
Originally Posted by fearlessfrog View Post
Hi,

I'll post this here on the main forum, as it's not got much traction in the FMB sub-forum:

http://forum.1cpublishing.eu/showthread.php?t=22978

In summary, please only connect to CoD servers you trust and download mission files from people you have some knowledge about. The scripting of mission in CoD is powerful, but allows bad people to do bad things, i.e. a mission file has permissions to access your other non-CoD files etc.

In the world of sims the chance of anything bad happening is (I think) very, very small, but people need to at least have the info to make their own judgement.

I'm very much enjoying CoD, and hope to see it getting better and better over time, but this type of issue is a real security vulnerability and should be addressed, hopefully quickly.

Thanks.
fearlessfrog can you please edit your posts, as spreading false info is NOT helpful!

You state that connecting to servers is dangerous, which it is not. Downloading single player missions with scripts is another matter.
Reply With Quote
  #9  
Old 05-22-2011, 02:14 PM
Longbone Longbone is offline
Member
 
Join Date: Aug 2010
Posts: 49
Default

OK I know nothing is save in Internet don't panic and OK fearlessfrog please edit your post.
But it must be said for me it was very helpful Thank you again !
Truthfulness is that alot of people play downloaded SP missions and that information is very helpful for them.
I think it could be an easy to use tool for bad people
because Virusscanner don't recognize something ?
Reply With Quote
  #10  
Old 05-22-2011, 04:00 PM
fearlessfrog fearlessfrog is offline
Member
 
Join Date: Jul 2010
Posts: 64
Default

I'll be happy to edit the MP bit, and as I said (a few times) in the post the scenario needs either verification or a comment from 1C. Just to be clear, has anyone run the test mission in the other thread to test for this conclusively yet? (I don't have the setup, I'm typing on an iPad )

As for accusations of FUD, the SP lack of sandboxing is proof to me that security was not considered at all. It will take one bad mission file (you expect people to read the C# before playing, yeah ok?) and it will come back and bite CoD and mission makers everywhere.

Ignoring it or flaming the messenger isn't a solution.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:46 PM.

Based on a design by: Miner Skinz.com

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 2007 1C Company. All rights reserved.