Closed MeteorTheLizard closed 1 year ago
Python1320
commented
2 years ago Yes. I could rewrite the gmas for extra security. This would cause even more mounting lag though and doubling of used disk space.
I can't block mounting workshop addons with lua files ebcause every playermodel comes with lua files.
Outfitter is safe as long as you don't use listen server or go to singleplayer afterwards. Outfitter is also "safe" to use on SRCDS. I should maybe add more warnings for this.
Python1320
commented
2 years ago This will be more of an issue with HTTP outfitter so I think I will have to implement something or just block lua gma over http.
MeteorTheLizard
commented
2 years ago This is a major security issue. I could easily go on any server with outfitter now and whoever joins singleplayer after loading my model gets pwned. That's just not okay.
Python1320
commented
2 years ago That's why only workshop is allowed. Your payload will get caught.
Also it will not be persistent without help from other addons.
Cynosphere
commented
2 years ago Ideally they just need to fix workshop content from other servers not getting unmounted when switching to a listen server.
wrefgtzweve
commented
1 year ago Any status on this? this is still a major security issue. It's only waiting to be abused by malicious player....
Python1320
commented
1 year ago Please test the changes, will publish tomorrow in workshop
Someone was using this model: https://steamcommunity.com/workshop/filedetails/?id=2487053849
After a server restart the lua files included were also loaded as they did not seem to get unmounted. This happened on a p2p server and the game was not restarted, the session was re-hosted.
I noticed this as the script included caused a ton of errors after spawning and the path lua/autorun/fox .. something.lua became valid and was indeed loaded.
This could be used to do malicious things. bad.