Help on script after removal of processInitCommands

[arjay 7]

So if I am using a callback system implemented say as:

if!(_callback == "") then
{
call compile format["[%1] call %2", _player, _callback];
};

Or using a command router:

call compile format['_command = ["%2"] call arjay_command%1;', _commandId, _unitId];

How open to abuse are these? The first example is something I would much rather handle with an event handler system, rather than a callback one.

With the command router this could be replaced by a large switch statement or similar, but with a lot of command options to route this gets large.

How do others handle issues like this, with security in mind?

[Radioman 6]

So if I am using a callback system implemented say as:

if!(_callback == "") then
{
call compile format["[%1] call %2", _player, _callback];
};

Or using a command router:

call compile format['_command = ["%2"] call arjay_command%1;', _commandId, _unitId];

How open to abuse are these? The first example is something I would much rather handle with an event handler system, rather than a callback one.

With the command router this could be replaced by a large switch statement or similar, but with a lot of command options to route this gets large.

How do others handle issues like this, with security in mind?

I handle such things by not making them dynamic, and actually having a flag based system instead, that uses an array, and a 2-3 letter 'flag', for the switch statement, and maybe even nested flags there after.

A good (and my only real available) example of this can be seen here: https://github.com/MarkusNemesis/Arma3LifeFramework/blob/inDev/A3LifeFramework.Stratis/client/functions/interactions/clientInteractionItemUseEvents.sqf

As for security of your current proposal, there's so many holes in it, it's swiss cheese. First one especially, but the second one isn't too bad, but could become subjected to code injection, ie _unitId could = "unitID; 0 spawn {malicious code here};", and your system would run it without any questions, as it'd work fine.

Edited May 3, 2013 by Radioman

[killzone_kid 1326]

arjay have a look at part 2 of my tutorial on variables on http://killzonekid.com how to avoid using call compile

[arjay 7]

I handle such things by not making them dynamic, and actually having a flag based system instead, that uses an array, and a 2-3 letter 'flag', for the switch statement, and maybe even nested flags there after.

A good (and my only real available) example of this can be seen here: https://github.com/MarkusNemesis/Arm...mUseEvents.sqf

As for security of your current proposal, there's so many holes in it, it's swiss cheese. First one especially, but the second one isn't too bad, but could become subjected to code injection, ie _unitId could = "unitID; 0 spawn {malicious code here};", and your system would run it without any questions, as it'd work fine.

Thanks for that radioman, I'll go back to the switch based system I had before, and before I got lazy of typing.

Are these issues still problematic if these functions are only compiled on the server? Apologies if this is a basic question, I'm still trying to get my head around security concerns for mulitplayer scritping..

As an aside radioman some lovely code in your LifeFramework there..

Killzone Kid, I read your tutorial, sorry if I'm being dense but the alternative to call compile was not jumping out at me - care to point me in the right direction?

[killzone_kid 1326]

Killzone Kid, I read your tutorial, sorry if I'm being dense but the alternative to call compile was not jumping out at me - care to point me in the right direction?

I've made a tutorial on how not to use call compile

http://killzonekid.com/arma-scripting-tutorials-constructing-secure-callback/

Edited May 3, 2013 by Killzone_Kid

[arjay 7]

Thanks for that KK, thats a nice construct for securing a callback system. The community really needs more example based tutorials like yours to cover security - as with most programming languages ARMA scripting is easy to copy and paste a hacked together script, but the subtleties of security and performance are many. If I ever get onto doing client server scripting I will give it a good look.

The examples I gave above are only compiled by the server, so I guess are reasonably safe from injection, I got paranoid after all the security issues came up, so thought it was best to ask.

A couple of points KK:

If I'm using a included function initialisation script to compile my script library:

init.sqf

#include "arjay\arjay_kickstart.sqf"

arjay_kickstart.sqf

call compileFinal preprocessFileLineNumbers "arjay\arjay_util.sqf";
call compileFinal preprocessFileLineNumbers "arjay\arjay_gear.sqf";
call compileFinal preprocessFileLineNumbers "arjay\arjay_task.sqf";

arjay_util.sqf

arjay_someFucntion = { code.. };
arjay_someFucntion2 = { code.. };
arjay_someFucntion3 = { code.. };

I assume I dont need to stringify and compile final all the methods (as in your example) in those library scritps as all the vars in the files are being compiled final as a group?

Also an aside, your simple private variable extractor is very useful, it would be great if you could add a checkbox option to disable reserved variable filtering. I commonly use vars like _target as they are only reserved in special circumstances.

Great job all round on your tutorials!

[killzone_kid 1326]

I have added to that tutorial arjay, explaining the problem. In short, no, you cannot do it. The functions defined inside the file you compileFinal do not get finalised by association you have to do it explicitly.

I will look into PV extractor, might as well have the option. BTW _target is hilighted differently in my highlighter so you might want to avoid using it in the first place.

[arjay 7]

Thanks for that KK, thats a PITA re the compileFinal and files with multiple functions, ah well.. Thanks again for your help

[.kju 3240]

Maybe I am missing something but why you want to use call compile format _function anyway?

Either you use one pV+pVEH per function, or one pV+pVEH plus function id and switch statement to make sure the right one is launched.

I am using the former so far, as there might be some timing issues when the receiver gets two inputs the same time.

In the end probably not a problem if the engine handles it properly, yet one would have to test this first to be sure.

The benefit would reduced data to be sent to JIP (as every pV data is sent to each JIP).

PS: You can check my design here: https://dev-heaven.net/projects/push/repository/revisions/master/entry/dev/TM.Limnos/source/scripts/client/PublicVariableEventHandlerSetup.sqf

[arjay 7]

Your quite right kju, I'm a beginner ARMA scripter and got a bit lost in the architecture there. The code I was talking about is server side only, I got worried about my code being injectable with all the BIS_fnc_mp talk flying around at present. All this sending code over the network to clients is a completely foreign concept to me. Please disregard.

[.kju 3240]

No worries ARJay - I was mainly talking about Killzone Kid's example.

I have seen such coding many times, however to me it seems there is a cleaner design available and its actually easier to understand too.

[killzone_kid 1326]

;2388666']Maybe I am missing something but why you want to use call compile format _function anyway?

Sorry kju, was it directed at me? If so, then I can assure you I don't want to use call compile format _function.

[.kju 3240]

Copy. However you may want to add at least a note in the tutorial that the sample is not good practice but just to show the change in design.

[killzone_kid 1326]

Not sure which sample we are talking about. The call compile format one clearly states it is bad idea.

So first thing is first, we never use call compile format combo

[[evo] dan 79]

Nvm

I managed to figure out what I did wrong thanks to the biki.

Simple vehicle respawn script using the new method:

execute the command using:

0 = [this,5] execVM "utility_scripts\vehicle_respawn.sqf"

Change the '5' to whatever you want respawn time to be.

_vehicle = _this select 0;
_respawntime = _this select 1;
_facingofvehicle = getDir _vehicle;
_positionofvehicle = getPosATL _vehicle;
_vehicletype = typeOf _vehicle;
_n = 1;
if(isServer) then{
while{_n == 1} do{
	if((!alive _vehicle) || (!canMove _vehicle)) then {
		sleep 3;
		deleteVehicle _vehicle;
		sleep _respawntime;
		_vehicle = _vehicletype createVehicle _positionofvehicle;
		_vehicle setPosATL _positionofvehicle;
		_vehicle setDir _facingofvehicle;
		[[[_vehicle,_respawntime],"utility_scripts\vehicle_respawn.sqf"],"BIS_fnc_execVM",false,false] spawn BIS_fnc_MP;
		_n = 0;
	};
	sleep 10;
};
};

Have been messing around with these functions all day :D

Edited May 5, 2013 by [EVO] Dan

[baloo666 10]

it is so sad to se a game lose the quiality over some dump punks, i have played this game for years well(arma 2) and now arma 3. I have the deluxe edition and was going to buy they supporter edition now im thinkin of ripping some dude of his money by selling him arma 3....

[killzone_kid 1326]

huh? i dont get it, are you on about hacks? they have always been possible it just became more obvious with popularity. or maybe you are on removal of the commands? well there is 101ways you can do the same thing in arma, they made it 100 ways, hardly worth getting broken about it.

[baloo666 10]

err maybe i should lern how to eplain my self a bit better :) ive only played coop in this game thats why i havent bin discovered it yet and i will probebly never play pvp for the same reason (hacks).

and i love to edit, it is fun and a good time killer. Bin useing community made scripts in every mission made, after the update some of the importants for me is the "Editor based AI spawn script by trigger", it is awsome but now i cant use it anymore, cuz it wont rebmember init field and name so have to lern it the hard way and i allready use to much time on it. So to ease it up a little i used that script to call enemys to the field.

i tryed to edit the script a bit my self made it work again thats how i found out about the name and initfield.

[jw custom 56]

i tryed to edit the script a bit my self made it work again thats how i found out about the name and initfield.

...so the big problem is?

executing scripts on all clients... explained in this thread several times.

[1para{god-father} 105]

ok guys really having issues with this, been through this whole thread and TBH still unsure

What is the best way to add something to a spawned units INIT ? can we create a function that we can call and use all the time and just pass the init we need ?

can anyone provide an easy example ? say to add an add-action onto a spawned unit

_unitinit= "this addaction ['Capture', 'scripts\xxxxxxx.sqf', [],1,false,true,'','((side _this) == west)'];";

[killzone_kid 1326]

What is the best way to add something to a spawned units INIT ?

And why would you want to do this? It is spawned, init is now useless.

[dmarkwick 261]

Maybe he means spawning unit's init :)

[1para{god-father} 105]

Sorry yes Spawning Unit :)

i.e

_grp = createGroup WEST;
_pilot = _grp createUnit ["B_Helipilot_F", _pos, [], 0, "FORM"];

how would i now add the add-action to this unit

[killzone_kid 1326]

init.sqf

fnc_unitinit= {_this addaction ['Capture', 'scripts\xxxxxxx.sqf', [],1,false,true,'','((side _this) == west)'];};

where you exec your createunit

_grp = createGroup WEST;

_pilot = _grp createUnit ["B_Helipilot_F", _pos, [], 0, "FORM"];

[_pilot, "fnc_unitinit", true, true] spawn BIS_fnc_MP;

[1para{god-father} 105]

init.sqf

fnc_unitinit= {_this addaction ['Capture', 'scripts\xxxxxxx.sqf', [],1,false,true,'','((side _this) == west)'];};

where you exec your createunit

_grp = createGroup WEST;

_pilot = _grp createUnit ["B_Helipilot_F", _pos, [], 0, "FORM"];

[_pilot, "fnc_unitinit", true, true] spawn BIS_fnc_MP;

That easy, well i am trying to over complicate things for sure :)

Thanks ill give that a go !