Originally Posted by Sordrak
|
You did, however I missed that comment. I have reached out to cyxui for more details on this matter. Thanks for pointing that out.
I agree this is very concerning. I am also going over all the posts that were deleted.
Back to your source code review:
-Do you agree that it simply doesn't matter what is present on github? What matters is what the binary file does and you have no idea what it does before decompiling / reverse engineer it. I really doubt at that point that the admins are doing this with every single release of the addon.
|
Correct, what is in the exe is the most important and you are correct we don't decompile every release, we spot check. We do however always scan via virustotal always however that will only catch known signatures.
|
-So you consider it not malicious when an addon (respectively the exe) is capable of writing new lua code that hasn't been there before? You have no idea what will be written as it is under full control of the author's server.
|
I don't see it being able to download and execute an exe (this is why we rejected his update.exe), it writes lua. When I look at an exe I look more on how it could remote execute something like installing a key logger, etc. You're saying the author could re-write his AddOn and do something to users in game via said AddOn. That is also bad since we are not able to review the lua that is sent down. I think maybe he needs to change it so lua isn't written, it writes to some txt file and the AddOn reads the data from it?