generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
We use cookies to offer you a better experience. By using Roblox.com, you are agreeing to our Privacy and Cookie Policy.
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re:

Previous Thread :: Next Thread 
CloneTrooper1019 is not online. CloneTrooper1019
Joined: 19 Jan 2009
Total Posts: 6227
04 May 2014 06:53 PM
On May 12th, Server-side loadstring() will be disabled by default. The LoadStringEnabled property will be removed from the Workspace, and will get moved over to the ServerScriptService. The property will be off by default, and will not be scriptable (It can still be set in studio though).

If you are using loadstring still, you need to think of a better implementation as soon as possible, and if all else fails, you can enable the property.
There is no guarantee that loadstring will be around forever, and it may be disabled completely in the future with no way to bring it back (on the server side at least)

The reason they are doing this is because server-side loadstring makes it easy to intentionally/unintentionally introduce a new security vulnerability. In the long run, this change will be for the better.


Report Abuse
MrChubbs is not online. MrChubbs
Joined: 14 Oct 2010
Total Posts: 4969
04 May 2014 06:56 PM
"If you are using loadstring still, you need to think of a better implementation as soon as possible" Er...so you're basically saying implement custom eval functions? Sounds interesting, but painful.
Report Abuse
AndroidKitKat is not online. AndroidKitKat
Joined: 21 Sep 2013
Total Posts: 1525
04 May 2014 06:57 PM
I truthfully think it is the scripter's fault to not make it secure enough. This brings us back to the problem of eval()'ing user input; it just never works.

EOS db 0x00 ;End of String Marker
Report Abuse
CloneTrooper1019 is not online. CloneTrooper1019
Joined: 19 Jan 2009
Total Posts: 6227
04 May 2014 06:57 PM
I'd suggest creating some RemoteFunctions/Events to run requests you legitimately need through loadstring.

If you are going to enable it online, make sure its on some debug place that won't do damage to your games.
Report Abuse
zars15 is not online. zars15
Joined: 10 Nov 2008
Total Posts: 9999
04 May 2014 06:57 PM
Well you can still use them on localscripts all fine, it's just the server scripts.

Also, unless your place is a script builder, I don't see big point in using loadstring for a game.
Report Abuse
Marolex is not online. Marolex
Joined: 17 Dec 2012
Total Posts: 1785
04 May 2014 06:58 PM
^

-King Scrub
Report Abuse
MrChubbs is not online. MrChubbs
Joined: 14 Oct 2010
Total Posts: 4969
04 May 2014 06:58 PM
It makes graphic calculators easier.
Report Abuse
CloneTrooper1019 is not online. CloneTrooper1019
Joined: 19 Jan 2009
Total Posts: 6227
04 May 2014 06:59 PM
@zars
Admin commands are very common and some of them have script builders built into them. This wouldn't be a problem if the script builders ran entirely in the ServerScriptService. A lot of people run them in the workspace, which is a massive problem.
Report Abuse
bohdan77 is not online. bohdan77
Joined: 10 Aug 2008
Total Posts: 7944
04 May 2014 07:00 PM
In reality it won't be much of a change. Since you can loadstring it via the client, then send it through a remotefunction.
Report Abuse
zars15 is not online. zars15
Joined: 10 Nov 2008
Total Posts: 9999
04 May 2014 07:02 PM
Well yeah.. Admin commands, but since now we have all the DataStore stuff and what not, this is truly a good update.

Admin commands creating local scripts seems like a better alternative now(of course, if you have filtering disabled).
Report Abuse
zars15 is not online. zars15
Joined: 10 Nov 2008
Total Posts: 9999
04 May 2014 07:03 PM
@bohdan

I don't think that you can send a live code accross from client to server(like functions).
Report Abuse
bohdan77 is not online. bohdan77
Joined: 10 Aug 2008
Total Posts: 7944
04 May 2014 07:04 PM
Ah, was worth a try, anyhow.
Report Abuse
MrChubbs is not online. MrChubbs
Joined: 14 Oct 2010
Total Posts: 4969
04 May 2014 07:05 PM
I think you can, actually.
Report Abuse
bohdan77 is not online. bohdan77
Joined: 10 Aug 2008
Total Posts: 7944
04 May 2014 07:07 PM
Tried it, it's turned to nil. Unless i'm doing something wrong.
Report Abuse
suremark is not online. suremark
Joined: 13 Nov 2007
Total Posts: 6315
04 May 2014 07:26 PM
"The reason they are doing this is because server-side loadstring makes it easy to intentionally/unintentionally introduce a new security vulnerability. "

So if I'm reading this right: they're phasing out loadstring because it "makes it easy" to find new security vulnerabilities? I think that's poor reasoning-- to me, it sounds like the ROBLOX devs are just tired of fixing loadstring.
Report Abuse
CloneTrooper1019 is not online. CloneTrooper1019
Joined: 19 Jan 2009
Total Posts: 6227
04 May 2014 07:28 PM
@suremark
I wrote that wrong sorry.
These are words from zeuxcg on the RBXDev forums. Here is the actual stuff he wrote us:

Server-side loadstring() makes it easy to intentionally or unintentionally introduce a security vulnerability. This has been covered quite a few times so I won't recite the reasons again.

There is a way to opt out of loadstring() on the server side right now, but it does not provide enough protection - you have to explicitly disable it. This is not enough - so we're taking the next step.

On May 7th evening, we'll ship a new property in ServerScriptService (called LoadStringEnabled). It will be off by default. You will see it in Studio. No, it's not scriptable :)

On May 12th, we'll disable loadstring() on the server side unless you explicitly enabled this property. Enabling it comes with a security risk both from your code and from the models or scripts you're using, so don't do it blindly! There's usually a better way.

If you are not using loadstring() on the server, you don't have to do anything.

If you are using loadstring() on the server, we urge you to think of a better way and implement it. If all else fails, you can enable the aforementioned property (ServerScriptService.LoadStringEnabled) after May 7th. However, there's no guarantee that we won't disable server side loadstring() completely without any way to bring it back in the future.

Stay safe.
Las
Report Abuse
AndroidKitKat is not online. AndroidKitKat
Joined: 21 Sep 2013
Total Posts: 1525
04 May 2014 07:35 PM
I wrote that erroneously*

writing it "wrongly" means that you intentionally did it. ;)

Just a friendly grammar lesson.

Also, what does he mean by opt out?
Report Abuse
CloneTrooper1019 is not online. CloneTrooper1019
Joined: 19 Jan 2009
Total Posts: 6227
04 May 2014 07:39 PM
I didn't say wrongly, lol
Report Abuse
AndroidKitKat is not online. AndroidKitKat
Joined: 21 Sep 2013
Total Posts: 1525
04 May 2014 07:40 PM
Yeah, my apologies, but still, wrong means with malicious intent. ;)
Report Abuse
VirtualPrince is not online. VirtualPrince
Joined: 17 Oct 2013
Total Posts: 7386
04 May 2014 08:17 PM
Thanks for telling us, I wish developers that are not in RBXDev get these warnings too.
Report Abuse
AndroidKitKat is not online. AndroidKitKat
Joined: 21 Sep 2013
Total Posts: 1525
04 May 2014 08:28 PM
VirtualPrince, I wholeheartedly agree. It seems as though they're no longer focusing on the general public.
Report Abuse
NexuiosThelV is not online. NexuiosThelV
Joined: 14 Jun 2013
Total Posts: 28
05 May 2014 10:19 PM
I might dislike this update, but as long as I can make a custom loadstring function I am fine. (StringValues)
Report Abuse
zars15 is not online. zars15
Joined: 10 Nov 2008
Total Posts: 9999
05 May 2014 11:45 PM
You cannot make custom loadstring function.
Report Abuse
suremark is not online. suremark
Joined: 13 Nov 2007
Total Posts: 6315
06 May 2014 04:33 PM
@AndroidKitKat Not necessarily. Just as an answer on a test can be "wrong", a phrase can be written wrong. Don't nitpick if you've got nothing useful to say.

As for loadstring going away, I suppose there's not much to be upset about-- nothing good has ever come out of public script builders besides kiddos using free-model admin scripts. Private script builders will still be there for those who want to test scripts together.
Report Abuse
stravant is not online. stravant
Forum Moderator
Joined: 22 Oct 2007
Total Posts: 2893
06 May 2014 05:20 PM
"You cannot make custom loadstring function."

It will be quite slow compared to the native one, but you definitely can. In fact, you can make a loadstring function in any Turing complete language.
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image