[sldev] Problem with script errors

Thomas Grimshaw tom at streamsense.net
Wed Sep 10 02:33:00 PDT 2008


I am posting this here since this jira outlines a potential exploit with 
the way SL handles errors from scripts; I have only classified the Jira 
as a "new feature" since it's not a bug as such.. should I upgrade it?

====

http://jira.secondlife.com/browse/SVC-3044

Currently, script errors in second life are handled as follows:

1 Script errors are reported to the script warning/error window
2 As default, script errors are also outputted into local chat
3 If you create a script to listen on channel 0, "script error" messages 
appear to becoming from a NULL_KEY
4 If an object on a hud has created an error, there is no way for a 
non-linden to know where the error came from
5 Sending chat to DEBUG_CHANNEL will currently output into chat 
regardless of the client configuration

This presents the following issues:

- Issues 2, 3 and 4 combined present a very large exploitable weakness. 
I could go into a crowded sim, create a prim with twenty or so scripts 
designed to error and reset in quick succession, and attach it to my 
hud. Any user with default settings would receive a massive flood of 
debug spam in their chat window, and no script or client will be able to 
detect which avatar is causing the spam.

- Currently there is no viable way for an object / product to 
self-diagnose errors. This is basic functionality which should be present.

The fix I suggest is as follows:

- Allow scripts to listen on CHANNEL_DEBUG for script errors, and ensure 
that the KEY of the offending object is passed.


More information about the SLDev mailing list