celguar
commented
2 years ago Hello, this is not my host, but is owned by one of Single Player Project developers. If you know a free file hosting with possibility of direct urls and no ban for lots of downloads (like Dropbox) I can switch to it 🙂
Issue: Additional files are downloaded from a third party provider without transport security.
ex: https://github.com/celguar/spp-classics-cmangos/blob/315d420647127ed47adae5346e445d4dd5e4836c/Launcher.bat#L546
Please make use of the standard windows
certutilcommand (certutil -hashfile <filename> sha256) to validate the SHA256 hash of the downloaded module file against a hash file / known "good" string shipped in the project on github and (or) work with the filehost to procure an SSL certificate using a free provider such as ZeroSSL or LetsEncrypt!Reason: Increase trust of the installation utility / remove hijack risk of download.
Alternatively publish / link to the master for building the distributed binaries so people can build it themselves.