angstsmurf
commented
1 year ago Thanks! We better check all Alan games now to see which ones try to install bitcoin miners. :)
Closed cspiegel closed 1 year ago
angstsmurf
commented
1 year ago Thanks! We better check all Alan games now to see which ones try to install bitcoin miners. :)
While going over the Alan2 source, I discovered that it can, apparently, call the
system()function with an arbitrary string from the game. While I'm not entirely sure the mechanism behind it (looks like there's a SYSTEM instruction, so it would be trivial for a game to call), I can't see any legitimate reason to allow it to happen. There are no circumstances I can think of where it makes any sense for a game to be able to run a command on a user's machine. It's a massive security risk.This change simply drops the call to
system().Alan 3 also has this instruction, so it's removed in both interpreters.