Ulysses

Ulysses Stuff => Suggestions => Topic started by: Pantho on February 08, 2013, 09:37:58 AM

Title: Helping to avoid old upload exploits.
Post by: Pantho on February 08, 2013, 09:37:58 AM

So time and again there are always the odd upload exploits for the source engine. The current one can only write to data folder but it still allows a few people to mess around with ulib user files.

I changed this on our servers but since ULiB already has a setting to change the path of the saved files it should be easy to add an option to the config file. So that the server owners can simply set a value in the config file, this value is added as a precursor for the file names. Making all servers use more unique filenames.

Since I suck at explaining it I'll just link the thread: http://www.facepunch.com/showthread.php?t=1244454&p=39518258&viewfull=1#post39518258

Not a major thread, not a ULX specific one either, but it is one we could help people avoid. Specially those who don't want to touch the LUA itself.

Title: Re: Helping to avoid old upload exploits.
Post by: Stickly Man! on February 08, 2013, 11:04:50 AM

Thanks for the tip! I'll have to talk to Megiddo about his thoughts on this. We have been wanting to move most of ULib and ULX's data to a database instead of flatfiles for a while now (or implement Megiddo's SQL/Flatfile abstraction concept (http://nayruden.com/?p=117)), but I can't give even an estimate on the timeframe for that.

The only problem I foresee is that having this unique string stored in a configuration file means that the configuration file has to be stored in a location that can be read without knowing the unique string-- In other words, a fixed location. That file could easily get overwritten, the server would lose the unique string, then wouldn't be able to load any of the 'protected' files, thus causing the same effect. :P

Again, I'll talk to the all-knowing (well, mostly-knowing) Megiddo and see what he thinks. In the meantime, the best way to prevent this if you refuse to set sv_allowupload to 0 would be to manually edit the ULib defines.lua file, like you suggested.  :)

Title: Re: Helping to avoid old upload exploits.
Post by: Pantho on February 08, 2013, 03:44:36 PM

Well, would be a string the user picks but I get your point.

Title: Re: Helping to avoid old upload exploits.
Post by: nathan736 on February 11, 2013, 10:01:17 AM

theres a better way to do this i think why not create a folder with the data thats cleverly named based on a var on the server the first time you run it  or multiple ones  and you dont need to remember this name because you can just put this folder in another one so you can just search dir to find it no ? Also  make sure the server converts the old system to the new system for extra cleverness :)

TLDR : make the dir for ulx data made via a clever method