#**Feedback**

Why exactly would that be a problem ? If those are never ran by the user

Most malicious attacks are manually ran by users themselves.

Erm, a example. I can make a file called OptimziePZ.exe, one day a user will chance upon that and see that, nothing susipcious about the name then ran it. 🙂

Natural selection

Hmm I guess that makes sense

Its a problem if you can replace a system file, or PZ's game executable itself.

You can't replace a system file, because that's outside of the scope of PZ (besides the last security patch they did, which I assume is now impossible)

@wet glade also you forgot .dll and .scr and a few others. A whitelist honestly might be better (.txt, .lua)

Would that even fix the problem ? Considering like on Linux files don't need file extensions in most cases

Are there any files that end in .txt that get automatically executed by linux or steam?

It would at least prevent you from overwriting any files that don't end in .txt

meaning getting your payload executed is MUCH harder.

idk, but limiting to .txt might be too rough too

currently, most file writing is so you can write stuff that is then read back by zomboid, or a dedicated program designed to interface with PZ

Yea which I suppose shouldn't be a problem, like for parsing jsons or data files in general

I mean you can definately argue for extra file types for the whitelist, like .bmp/.tga/etc.

png too, there's definitely modding use cases for that

but a whitelist is prob easier than a blacklist from a security standpoint.

Definitely

Id argue trying to homebrew your own LUA png compressor is 100% cursed but sure. have fun.

I have seen proof that making your own png directly from Lua is possible and would have a use

unrelated
#mod_development message

(png is over 100 different compression algos, chosen per-line, in a trenchcoat)

Who said you have to compress it

hence bmp/tga format is fine 😛

Those can't be loaded by the game

The point of allowing png is in fact to allow modders to generate png and load them as textures

Vaugely related, I just found texture:saveToCurrentSavefileDirectory exists...

Linux need X permission to run the file so if one literally add the X permission, that's truly natural selection for ya. UI typically need extensions to recognize it is executable by specific programs.

I think it is simply more easy to absentmindedly double click something than to explicitly grant permission to run something.

I may be too late for this topic, but can't modders already just drag those type of files directly into their mod folders? -.-

Adding a restriction to one very overcomplicated method to write a file seem a bit too essesive.

I think a better approach would be for the game instead just scan the mod file extensions for anything suspicious and flag them.

Like let the malicious strangers fall directly into the trap.

They can, the problem is creating these kind of files anywhere basically

If you limit the file writer formats, you kind of make it less likely that methods that would allow to write those files anywhere would create such exe I think ?

Not sure what you mean by that

That was more like a joke into making bad actors alert themselves as bad actors.

Well, the only places zomboid has for modders to write stuff right now, is either their own mod folder or the LuaFiles folder.

If I'm not mistaken, one of the security issues that happened was that modders actually could write anywhere

I believe it so too.

Kinda crazy how there were two massive security breachs into writing files.

If I remember, there was one that letted you pratically delete ANY file from the user's computer.

The reality is that no one looked into security risks of PZ

Thankfully

Only us modders who dig deep in the game tend to find these

Just like the risk of nuclear warheads, we've been REALLY lucky so far.

Basically

Lucky IndieStone devs, they attracted a bunch of white hats to their side