-
July 5th, 2020, 20:01 #11
I'd love to hear this as well.
I'm glad to hear the site should be secure, but I'm much more worried about running a public-facing server on my personal computer with an open port (if using LAN connection).
Hearing an official statement that considerations are being made for this fairly large risk would be reassuring.bmos' extensions
he/them
-
July 6th, 2020, 20:07 #12
- Join Date
- Oct 2017
- Posts
- 1
AFAIK, all the OS feature in the lua sandbox were disabled for instance, which kind of show they're at least a bit security aware. Also FG is ran with user privileges, which limits the attack reach. But indeed, if there were an overflow of some kind in the used libraries (i think We can assume they use high level langage and don't reinvent the standard C lib from scratch), an attacker targeting it Could possibly perform malevolent stuff. However, I believe the direct connection issue disappears with the cloud lobby.
But i am no FGU developer so my Word is just a former's pentester view ;]. Also pardon my strange english, i'm a frog ^^. Have a good day
-
July 6th, 2020, 21:31 #13
As mentioned, the LUA implementation doesn't have any of the OS accessible features enabled - see here: https://fantasygroundsunity.atlassia...ua-Programming
Also, any connection to the GM on port 1802 doesn't have any rights to upload or control code. The only code available is that loaded by the GM (ruleset and extensions) when they loaded their campaign. All of this code is the FG LUA linked above. The *worst* that could happen is that someone tries to do denial of service by flooding port 1802 - with either a bunch of crap, or simulating a FG player client and doing a bunch of stuff (roll dice again and again, etc.).Private Messages: My inbox is forever filling up with PMs. Please don't send me PMs unless they are actually private/personal messages. General FG questions should be asked in the forums - don't be afraid, the FG community don't bite and you're giving everyone the chance to respond and learn!
-
July 7th, 2020, 00:03 #14
FGC can only write XML and Mask PNGs to the file system and cannot delete anything.
Im not sure if FGU can also write images to the file system.
There is very few things that the cGM client is allowed to do and even less for the player.
-
July 11th, 2020, 19:11 #15
- Join Date
- May 2019
- Posts
- 339
Thanks @_haplo__, @Trenloe and @damned. That helps quite a bit.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Bookmarks