This was posted in General and I got permission from MoanaLisa to post it here as well, as it directly pertains to the Interface and an addon that is heavily discussed in this forum. Original post is here.
This was posted in General and I got permission from MoanaLisa to post it here as well, as it directly pertains to the Interface and an addon that is heavily discussed in this forum. Original post is here.
Abandon the search for Truth; settle for a good fantasy.
iKeystones, iLFRDescription, iEncounterEventTracker
Is the chunk that was added in most recent WA, for reference. Can't test right now, but there's still some potential workarounds that would need testing - for example, if/how forceinsecure() affects the function environment through DevTools_DumpCommand, or whether any of the debugX functions allow arbitrary code to execute by loading it outside the function environment.Code:local exec_env = setmetatable({}, {__index = _G}) exec_env._G = exec_env exec_env.getfenv = forbidden exec_env.SendMail = forbidden exec_env.SetTradeMoney = forbidden exec_env.getmetatable = function(t) if t == exec_env then error("nope") else return getmetatable(t) end end exec_env.setmetatable = function(t, m) if t == exec_env then error("nope") else return setmetatable(t,m) end end
Yeah, there's a bunch of other "dangerous" functions I can think of offhand. IIRC deleting items isn't protected, right?
Actually, the currently implemented lockout works decently as long as there's no workarounds that can allow code to circumvent function environment. Look into setfenv.
Addons do have that ability and we made sure that SendMail and SetTradeMoney no longer work from a WeakAura. Also I'm pretty sure Blizzard will make some changes to some of those APIs in the future but for the time being you gold is safe now. There might still be some bad API remaining that we have to block, would be cool if anyone reports those and "bad" auras they found to me/us.
Last edited by Stanzilla; 2013-12-04 at 07:11 PM.
http://www.wowace.com/addons/weakauras-2/ is the main site, yes.
- - - Updated - - -
Well, turns out that there is still a way around our protections and this time we can't really fix it. It's Blizzard's turn now.
Hey Stanzilla what warning does it come up with ?
Can you just interpret the script and for the Lua parts outline to the user exactly what it's going to do THEN have them click a "Yes I want to do this"
Is that the warning you have in there ?
This is only an issue if you import weakauras, correct? if that's the case, i'm glad i make all of my own weakauras.
Is there (or will there be) a way to disable the ability to receive weakauras directly in game?
All evening I have been getting auras popping up in game like this: http://imgur.com/fs4wum3
No associated in-game whispers, just level 1 characters repeatedly causing the import window to pop up with malicious intent.