|
| 04 May 2014 06:53 PM |
On May 12th, Server-side loadstring() will be disabled by default. The LoadStringEnabled property will be removed from the Workspace, and will get moved over to the ServerScriptService. The property will be off by default, and will not be scriptable (It can still be set in studio though).
If you are using loadstring still, you need to think of a better implementation as soon as possible, and if all else fails, you can enable the property. There is no guarantee that loadstring will be around forever, and it may be disabled completely in the future with no way to bring it back (on the server side at least)
The reason they are doing this is because server-side loadstring makes it easy to intentionally/unintentionally introduce a new security vulnerability. In the long run, this change will be for the better.
|
|
|
| Report Abuse |
|
|
MrChubbs
|
  |
| Joined: 14 Oct 2010 |
| Total Posts: 4969 |
|
|
| 04 May 2014 06:56 PM |
| "If you are using loadstring still, you need to think of a better implementation as soon as possible" Er...so you're basically saying implement custom eval functions? Sounds interesting, but painful. |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 06:57 PM |
I truthfully think it is the scripter's fault to not make it secure enough. This brings us back to the problem of eval()'ing user input; it just never works.
EOS db 0x00 ;End of String Marker |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 06:57 PM |
I'd suggest creating some RemoteFunctions/Events to run requests you legitimately need through loadstring.
If you are going to enable it online, make sure its on some debug place that won't do damage to your games.
|
|
|
| Report Abuse |
|
|
zars15
|
  |
| Joined: 10 Nov 2008 |
| Total Posts: 9999 |
|
|
| 04 May 2014 06:57 PM |
Well you can still use them on localscripts all fine, it's just the server scripts.
Also, unless your place is a script builder, I don't see big point in using loadstring for a game. |
|
|
| Report Abuse |
|
|
Marolex
|
  |
| Joined: 17 Dec 2012 |
| Total Posts: 1785 |
|
| |
|
MrChubbs
|
  |
| Joined: 14 Oct 2010 |
| Total Posts: 4969 |
|
|
| 04 May 2014 06:58 PM |
| It makes graphic calculators easier. |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 06:59 PM |
@zars Admin commands are very common and some of them have script builders built into them. This wouldn't be a problem if the script builders ran entirely in the ServerScriptService. A lot of people run them in the workspace, which is a massive problem.
|
|
|
| Report Abuse |
|
|
bohdan77
|
  |
| Joined: 10 Aug 2008 |
| Total Posts: 7944 |
|
|
| 04 May 2014 07:00 PM |
| In reality it won't be much of a change. Since you can loadstring it via the client, then send it through a remotefunction. |
|
|
| Report Abuse |
|
|
zars15
|
  |
| Joined: 10 Nov 2008 |
| Total Posts: 9999 |
|
|
| 04 May 2014 07:02 PM |
Well yeah.. Admin commands, but since now we have all the DataStore stuff and what not, this is truly a good update.
Admin commands creating local scripts seems like a better alternative now(of course, if you have filtering disabled). |
|
|
| Report Abuse |
|
|
zars15
|
  |
| Joined: 10 Nov 2008 |
| Total Posts: 9999 |
|
|
| 04 May 2014 07:03 PM |
@bohdan
I don't think that you can send a live code accross from client to server(like functions). |
|
|
| Report Abuse |
|
|
bohdan77
|
  |
| Joined: 10 Aug 2008 |
| Total Posts: 7944 |
|
|
| 04 May 2014 07:04 PM |
| Ah, was worth a try, anyhow. |
|
|
| Report Abuse |
|
|
MrChubbs
|
  |
| Joined: 14 Oct 2010 |
| Total Posts: 4969 |
|
|
| 04 May 2014 07:05 PM |
| I think you can, actually. |
|
|
| Report Abuse |
|
|
bohdan77
|
  |
| Joined: 10 Aug 2008 |
| Total Posts: 7944 |
|
|
| 04 May 2014 07:07 PM |
| Tried it, it's turned to nil. Unless i'm doing something wrong. |
|
|
| Report Abuse |
|
|
suremark
|
  |
| Joined: 13 Nov 2007 |
| Total Posts: 6315 |
|
|
| 04 May 2014 07:26 PM |
"The reason they are doing this is because server-side loadstring makes it easy to intentionally/unintentionally introduce a new security vulnerability. "
So if I'm reading this right: they're phasing out loadstring because it "makes it easy" to find new security vulnerabilities? I think that's poor reasoning-- to me, it sounds like the ROBLOX devs are just tired of fixing loadstring. |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 07:28 PM |
@suremark I wrote that wrong sorry. These are words from zeuxcg on the RBXDev forums. Here is the actual stuff he wrote us:
Server-side loadstring() makes it easy to intentionally or unintentionally introduce a security vulnerability. This has been covered quite a few times so I won't recite the reasons again.
There is a way to opt out of loadstring() on the server side right now, but it does not provide enough protection - you have to explicitly disable it. This is not enough - so we're taking the next step.
On May 7th evening, we'll ship a new property in ServerScriptService (called LoadStringEnabled). It will be off by default. You will see it in Studio. No, it's not scriptable :)
On May 12th, we'll disable loadstring() on the server side unless you explicitly enabled this property. Enabling it comes with a security risk both from your code and from the models or scripts you're using, so don't do it blindly! There's usually a better way.
If you are not using loadstring() on the server, you don't have to do anything.
If you are using loadstring() on the server, we urge you to think of a better way and implement it. If all else fails, you can enable the aforementioned property (ServerScriptService.LoadStringEnabled) after May 7th. However, there's no guarantee that we won't disable server side loadstring() completely without any way to bring it back in the future.
Stay safe. Las |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 07:35 PM |
I wrote that erroneously*
writing it "wrongly" means that you intentionally did it. ;)
Just a friendly grammar lesson.
Also, what does he mean by opt out? |
|
|
| Report Abuse |
|
|
| |
|
|
| 04 May 2014 07:40 PM |
| Yeah, my apologies, but still, wrong means with malicious intent. ;) |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 08:17 PM |
| Thanks for telling us, I wish developers that are not in RBXDev get these warnings too. |
|
|
| Report Abuse |
|
|
|
| 04 May 2014 08:28 PM |
| VirtualPrince, I wholeheartedly agree. It seems as though they're no longer focusing on the general public. |
|
|
| Report Abuse |
|
|
|
| 05 May 2014 10:19 PM |
| I might dislike this update, but as long as I can make a custom loadstring function I am fine. (StringValues) |
|
|
| Report Abuse |
|
|
zars15
|
  |
| Joined: 10 Nov 2008 |
| Total Posts: 9999 |
|
|
| 05 May 2014 11:45 PM |
| You cannot make custom loadstring function. |
|
|
| Report Abuse |
|
|
suremark
|
  |
| Joined: 13 Nov 2007 |
| Total Posts: 6315 |
|
|
| 06 May 2014 04:33 PM |
@AndroidKitKat Not necessarily. Just as an answer on a test can be "wrong", a phrase can be written wrong. Don't nitpick if you've got nothing useful to say.
As for loadstring going away, I suppose there's not much to be upset about-- nothing good has ever come out of public script builders besides kiddos using free-model admin scripts. Private script builders will still be there for those who want to test scripts together. |
|
|
| Report Abuse |
|
|
stravant
|
  |
 |
| Joined: 22 Oct 2007 |
| Total Posts: 2893 |
|
|
| 06 May 2014 05:20 PM |
"You cannot make custom loadstring function."
It will be quite slow compared to the native one, but you definitely can. In fact, you can make a loadstring function in any Turing complete language. |
|
|
| Report Abuse |
|
|