[sldev] Problem with script errors
Thomas Grimshaw
tom at streamsense.net
Wed Sep 10 02:33:00 PDT 2008
I am posting this here since this jira outlines a potential exploit with
the way SL handles errors from scripts; I have only classified the Jira
as a "new feature" since it's not a bug as such.. should I upgrade it?
====
http://jira.secondlife.com/browse/SVC-3044
Currently, script errors in second life are handled as follows:
1 Script errors are reported to the script warning/error window
2 As default, script errors are also outputted into local chat
3 If you create a script to listen on channel 0, "script error" messages
appear to becoming from a NULL_KEY
4 If an object on a hud has created an error, there is no way for a
non-linden to know where the error came from
5 Sending chat to DEBUG_CHANNEL will currently output into chat
regardless of the client configuration
This presents the following issues:
- Issues 2, 3 and 4 combined present a very large exploitable weakness.
I could go into a crowded sim, create a prim with twenty or so scripts
designed to error and reset in quick succession, and attach it to my
hud. Any user with default settings would receive a massive flood of
debug spam in their chat window, and no script or client will be able to
detect which avatar is causing the spam.
- Currently there is no viable way for an object / product to
self-diagnose errors. This is basic functionality which should be present.
The fix I suggest is as follows:
- Allow scripts to listen on CHANNEL_DEBUG for script errors, and ensure
that the KEY of the offending object is passed.
More information about the SLDev
mailing list