Offsite Downloads

Discussion in 'BukkitDev Information and Feedback' started by Drakia, Oct 11, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    Rigby90


    [​IMG]

    Anyways...

    Thanks for the suggestion/feedback... However it might be worth talking about the plugin dev tag elsewhere though :p.
     
    resba, Don Redhorse, fr34k_tk and 2 others like this.
  2. Offline

    chaseoes

    No, you WERE a murderer, keeping your killing spree going KEEPS you a murderer. There\'s a difference.
     
    Don Redhorse likes this.
  3. Offline

    DrAgonmoray

    Oh, so then all the people who are in jail for killing somebody should be released, since they aren't murderers anymore.
     
  4. Offline

    chaseoes

    Yes, provided that they're "inactive" murders. I'm glad that you understand now.
     
    Don Redhorse likes this.
  5. Offline

    DrAgonmoray

    I really hope you're joking. Because this stupidity is scaring me.
     
    M1sT3rM4n likes this.
  6. Offline

    cjc343

    Sounds like Poe's Law to me (you Nazi).
     
  7. Offline

    gamerluke

    Thing : Result
    Murder someone : Become a murderer
    Don't kill anyone else: Changed murderer
    Keep Killing: Serial murderer

    Terms
    Murder someone : Murderer
    Don't kill anyone else: Criminal record
    Keep Killing: Serial Killer

    Happy now? Good, now lets move on.
    PS: Apples and Oranges can both be thrown, consumed and so many more things (yes, I said thrown before consumed, that doesn't make me a murderer or a potential suspect)
     
    Don Redhorse likes this.
  8. Offline

    ZachBora

    Back to topic... does asking offsite link permission make these people potential malware providers?
     
  9. Offline

    gamerluke

    Any link from an external site has a small risk of being some form of virus...
    I can assure people that use my download links that they're completely safe.

    Incase anyone wants more info on mine;
    All my links work like this:
    Example download link
    http://www.lsrw.co.uk/bukkit/project/<plugin name>/dl/<plugin name>.jar
    (This is just a direct download link)

    Example project link (these haven't been added in yet)
    http://www.lsrw.co.uk/bukkit/project/<plugin name>/directory
    (This gives a list of the things inside that directory, therefore it shows you any images related to that plugin / readmes)
     
  10. Offline

    Drakia

    Any uploaded file has the exact same chance since file approval is a joke
     
    DrAgonmoray and ThatBox like this.
  11. Offline

    ThatBox

    Your getting somewhere. Its not like the moderators actually DOWNLOAD the file. Especially since there is so many submissions.
     
  12. Offline

    alexanderpas

    I can guarantee you that if off-site linking is implemented, it will be used to host malware. (bait and switch.)
    Tue, but you can't change the contents of an uploaded file, it's either malware, or it's not.

    An uploaded file to Bukkitdev is static, there is no possibility to change the file after upload.
    they may not download the file, but it might get checked automatically by a virusscanner or something.
     
  13. Offline

    cyberdude

    God damn! Ignorant fool. Please don't spew untrue claims ;)

    I can guarantee there is as much chance of it being used for malware, whether it is off-site linking or not, just as much as the chances have been here on the forums.
    It takes about 5 lines of coded added to a jar, and then you can do whatever the f**k you want, whether to download malware, update itself on the 1st of next month, download whatever backdoor or trojan you like.
    As I have stated before in another thread, the on-site linking and file approval would only EVER be able to stop the LAMEST attempts of spreading malware, and infact only adds a false sense of security.
    No virus scanner or anything will ever catch the attempts of adding malware that has been created in more than 2 minutes.
    Basically I write the code, I decide what it should do.
    Whether to download file.exe from malicousdomain.com on the 31th october at 3:35pm, or if it should download mydomain.com/pluginname.jar on the 3rd run. A virusscanner would not catch that.

    The jars you download have 100% access to your system (account) and can do whatever f**k they want.
    No file approval, or on-site linking is going to prevent that.

    We already have plugins that autoupdate by fetching their plugin.jar file when a new one is out. What is to stop that "non-controlled" jar file to not contain any known malware, or homemade code to control your computer. NOTHING!

    Yes an uploaded file to BukkitDev is static, but there is nothing to prevent it from not being something totally different 2 seconds after you loaded the plugin.
     
  14. Offline

    ZachBora

    i vote cyber for mod
     
    Daniel Heppner likes this.
  15. Offline

    alexanderpas

    Except for you decompiling a plugin before it's loaded.
     
  16. Offline

    Drakia

    And if the plugin contains "auto update" code?
     
  17. Offline

    ZachBora

    How do you auto-update an application and does it change the jar itself or add another file?
     
  18. Offline

    Drakia

    Download a file over itself so on next load it's a different plugin.
     
  19. Offline

    cyberdude

    As Drakia said, and I already explained in the post. It's already valid to have your plugin auto update plugin.jar from your server, so if you decompile you'll see the plugin fetching an updated version of the plugin, nothing more, nothing less... Whatever this updated jar (that might not even exists at first, but be uploaded later) contains, you will never know until you decompile that, and well, at that point it is already to late. And besides that, there are tons of other ways to do this. You can obfuscate your code, making it basically unreadable upon decompile, even just obfuscate part of code. You can even add whatever files you want to the Jar and disguise them as resources that is to be extract by the jar. There is literally hundreds ways to hide the malicious intention of the plugin.
    Besides, how many users do you know who decompile plugins before using them? Don't count on the Bukkit Team decompiling and reading through the thousands of plugins.

    So really, your point being?????

    Just face it, I upload my plugin, I decide what it does. I can conceal whatever malicious intentions I have, and neither you or the Bukkit Team/BukkitDev can do shit about it.
    If a plugin developer really were intending to spread malicious content, it'll be no problem. For all we know, several plugins might have already spread malicious content. You don't know, I don't know, and the Bukkit Team doesn't know.
    Face it, running these plugins is putting blind trust into the developers, and hoping they don't have bad intentions. If they do, you can't really do shit about.
    A proper written malicious application, going about quietly, would easily pass by heuristics scanners, and the fact that the plugin is running in the minecraft application means that any firewall blocking has already been set to unblock/allow any communication for the minecraft server application.
    These plugins is really a haven for malicious software distribution. In the future we will have to be VERY careful about what we are doing, especially if there is so many users that this suddenly turns into a lucrative business.
    And file approval will NOT be one of those things helping. It might catch some of obvious attempts. But anyone that earns their living practicing malicious software activities, or just as a hobby will be able to circumvent the "protection" offered by the File approval process. Thus the file approval process adds ABSOLUTELY NO security what so ever, if anything it only helps the malware authors because the File approval process and the fact that the download is hosted at BukkitDev will add a false sense of security for users.

    You add it to the Bukkit update folder ;)... On next reload/restart, Bukkit does the magic for you.
    I'm not really sure you can overwrite the file, because while loaded (even after unload) the plugin jar file is still locked by the minecraftserver.
    However you can modify the file, so you can write the content of the updated jar directly into the current jar.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 20, 2016
  20. Offline

    ZachBora

    I'm pretty sure you can replace it. Eclipse overwrites without a problem and on linux server I can overwrite without stopping server.
     
  21. Offline

    cyberdude

    I can't on my system (Win7) while minecraft server is running, whether using Eclipse or overwriting it manually. :( I compile to update folder, and /reload does the job for me.
    Anyways, doesn't matter ;) Point is, it's not really any problem creating something that auto updates.
     
    Daniel Heppner likes this.
  22. Offline

    ZachBora

    I'm also on Win7 (64bit) and I export directly in my plugin folder on my running test server then just do /reload.
     
Thread Status:
Not open for further replies.

Share This Page