poco0317
commented
1 year ago I will admit I created that file but my intention was not for it to be released in a pack. This problem exists in all SM lua (all versions of SM that load it.) and affects every way you can load it which includes themes, noteskins, bganimations, and charts. Regardless .... duplicate #957
zkldi
Is there an existing issue for this?
Contact Details
justreplytotheissue
Version Info
Latest available release
What operating system are you seeing the problem on?
Linux (any distro)
Bug Behavior
Lua scripts, including those bundled with packs or charts, can trivially execute arbitrary shell commands via
This is a huge security hole, as it means any SM pack you download or any file you play can do anything to your machine, such as deleting every file in your home directory, or mine dogecoin, etc.
While stepartists don't normally distribute malware with their packs, they easily can. a compromised/malicious mirror for existing packs could also insert malware where there wasn't any before.
Given that most people don't look inside packs for arbitrary
.luafiles before loading them into the game, it would be trivial to use the shell to place malware outside of the pack, and then delete the.luafiles afterwards, leaving no trace of malware.Expected Behavior
Lua scripts should be sandboxed and not be able to execute shell commands.
Reproduction Steps
put
os.system("your command here")in any lua script that the game will load.you can make a simfile load a lua script on-gameplay using
#FGCHANGES:0.000=script.lua=1.000=0=0=1;.Anything else?
this is used as a gimmick in lofty 3 exclusive edition
that file is actually credited to @poco0317, who is the maintainer of this project - is this intentional behaviour? if so, it's extremely dangerous intentional behaviour.