Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 01:29 AM |
Since the devs haven't posted any information about this new property yet, I'll fill you guys in.
In the most recent studio/player update, a new property was added to Workspace. Workspace.FilteringEnabled
When this property is enabled, the server ignores any requests from LocalScripts from players that try to change the property of instances, create new instances, delete instances, or fire methods. The only exceptions are being able to fire RemoteFunctions and RemoteEvents (classes used for server->client communication and vice versa).
Players can still modify any instances within their own PlayerGui, but PlayerGui no longer replicates to the server. This means server scripts in PlayerGui will not run, and to the server, PlayerGui does not exist.
This will break most vehicles (which manually update properties of VehicleSeats) and gear (because they use localscripts to manipulate instances in the Workspace).
Yes, this means you have to rewrite your games to work with the filter, but the plus side is that it becomes virtually impossible to exploit. We will still see noclipping and exploits that involve changing the speed or position of the local character, but you won't see exploits that destroy the map or edit instances.
The property doesn't serialize, so you'll have to have a server script set it if you want to test it out in online mode. It isn't visible in explorer either.
This information has been gathered secondhand, so it may not be 100% accurate. Feel free to correct me if you know more about the filter than I do.
|
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 01:29 AM |
| I made a typo in the title, should have been Workspace.FilteringEnabled. |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 02:14 AM |
| So basically, nothing can pass through the client's data storage without consent of the server? |
|
|
| Report Abuse |
|
|
AIienAIex
|
  |
| Joined: 21 Aug 2013 |
| Total Posts: 54 |
|
| |
|
|
| 06 Feb 2014 02:59 AM |
| http://www.youtube.com/watch?v=P3ALwKeSEYs |
|
|
| Report Abuse |
|
|
dracomanx
|
  |
| Joined: 23 May 2013 |
| Total Posts: 15642 |
|
|
| 06 Feb 2014 03:52 AM |
| Merely why exactly aren't you a mod anymore? |
|
|
| Report Abuse |
|
|
LordHammy
|
  |
| Joined: 27 Jan 2011 |
| Total Posts: 3647 |
|
|
| 06 Feb 2014 04:14 AM |
Thanks, Merely.
This is a good way to reduce exploits, like you said.
Nice job on explaining. |
|
|
| Report Abuse |
|
|
| |
|
IDemon
|
  |
| Joined: 10 Nov 2008 |
| Total Posts: 962 |
|
|
| 06 Feb 2014 04:38 AM |
| @Draco, he was a intern and is a student. |
|
|
| Report Abuse |
|
|
| |
|
|
| 06 Feb 2014 08:16 AM |
| YA! So bluedropz got no power now :) |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 09:12 AM |
@Exploiters
rekt kids
rekttttt
unless you somehow find away around this-
REKT
-rekt: https://www.youtube.com/watch?v=56lzvEtnRwI- |
|
|
| Report Abuse |
|
|
Tenal
|
  |
| Joined: 15 May 2011 |
| Total Posts: 18684 |
|
|
| 06 Feb 2014 10:26 AM |
| I'm just glad that it's not set to it by default. Doing so would break many games. |
|
|
| Report Abuse |
|
|
Looah
|
  |
| Joined: 22 Feb 2013 |
| Total Posts: 922 |
|
| |
|
|
| 06 Feb 2014 12:32 PM |
| And then exploiters flip the ROBLOX staff off by uncovering a place stealing exploit |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 12:36 PM |
| EchoReaper: Shedletsky is offering 100 USD or Lifetime OBC to the first user to provide repro steps for a place stealing exploit that includes server-side script sources. So far no one has taken him up on it. |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 12:38 PM |
@Merely: I hear that the exploit is going around on RbxDev.
I was just sent a place that was stolen using the exploit: http://www.roblox.com/Place-Stealing-Exploit-Test-place?id=144961461 |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 12:39 PM |
| EchoReaper: The hopperbin exploit was patched. |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 12:42 PM |
| The RbxDev discussion right now consists of users opening up fiddler, opening their own place files (because their cookies are attached), and thinking that they found a way to steal places. It's a lot of speculation and misunderstanding of how the system works. |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 12:46 PM |
If you read it, it isn't that, Merely. The RbxDev discussion consists of people trying to figure out how to spoof information or other ways of getting the download link which requires no auth. I mean, http://c7.rbxcdn.com/0e861f2ab0b92b38b4f0aa8527f4def8 isn't owned by anyone of us here, but we're able to download and open it regardless of our current auth info. That is the hole we're looking at; if we can somehow grab that url for any place, we can download it.
~LuaWeaver; Programmer, gamer, developer. |
|
|
| Report Abuse |
|
|
sncplay42
|
  |
| Joined: 27 Nov 2008 |
| Total Posts: 11891 |
|
|
| 06 Feb 2014 12:49 PM |
>That is the hole we're looking at; if we can somehow grab that url for any place, we can download it.
And it's a pretty big if. |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 12:50 PM |
A big if, but not misunderstanding how the system works. We know that obviously, the method we currently have for grabbing places only works on our own/uncopylocked places.
~LuaWeaver; Programmer, gamer, developer. |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 06 Feb 2014 12:51 PM |
| TheLuaWeaver: Shedletsky established that 3 pages ago. Everyone else keeps on talking about the hash algorithm as if it was the key, but it is not. Finding a page on the website that gives us the hash of an asset that we are unauthorized to download - that is the key. |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 12:52 PM |
You mentioned PlayerGui, but not anything about characters.
Are they now uneditable? |
|
|
| Report Abuse |
|
|
|
| 06 Feb 2014 12:52 PM |
| Is the download for the current version, or the version the place was when the download link was retrieved? |
|
|
| Report Abuse |
|
|