[Addon] LibRpc-0.2 / LibTrust-0.1

[Chorizotarian]

Is it possible to use LibRpc to allow or disallow a third client via libtrust, in other words, can I use LibRpc to remotely manipulate libtrust? If so, it might be a bit of a security concern. (Could just read the code, but asking is more fun :]).

Oops, missed one! Yeah, you could manipulate the LibTrust settings remotely via LibRpc, but only if you have sufficient permissions. If you just do "/trust allow <main>" on your clones then you've granted full trust. At that point the main can already run whatever remote API he wants, so there's no point in trying to hack the LibTrust settings.

You could also enable finer-grained security settings: "/trust allow <main> <api>" or "/trust deny <main> <api>". If you only allow the specific APIs that you need then you probably could lock down things enough that it wouldn't be possible to manipulate the trust settings remotely. You'd have to be careful though because LUA provides ways to create and run code on the fly. On the whole I think that trying to lock things down beyond which chars you trust is probably overkill.

[Blubber]

You shouldn't need to add the saved variables. The idea is that LibTrust saves the settings in it's own SavedVariables and you call the public API.

I actually haven't tried embedding it yet. Maybe it's not working right. Can you post a code sample?

Here's what I do for LibRpc (non-embedded):

Code:

local libTrust = LibStub("LibTrust-0.1")
if not libTrust then error(MAJOR .. " requires LibTrust-0.1") end
...
if not libTrust:IsAllowed(sender) then
    ...
end

Problem is, I embedded both LibRpc and LibTrust, but libtrust doesn't seem to save anything. Only when I add the SavedVariables to the tOC it starts saving.

[Blubber]

Is it possible to use LibRpc to allow or disallow a third client via libtrust, in other words, can I use LibRpc to remotely manipulate libtrust? If so, it might be a bit of a security concern. (Could just read the code, but asking is more fun :]).

Oops, missed one! Yeah, you could manipulate the LibTrust settings remotely via LibRpc, but only if you have sufficient permissions. If you just do "/trust allow <main>" on your clones then you've granted full trust. At that point the main can already run whatever remote API he wants, so there's no point in trying to hack the LibTrust settings.

You could also enable finer-grained security settings: "/trust allow <main> <api>" or "/trust deny <main> <api>". If you only allow the specific APIs that you need then you probably could lock down things enough that it wouldn't be possible to manipulate the trust settings remotely. You'd have to be careful though because LUA provides ways to create and run code on the fly. On the whole I think that trying to lock things down beyond which chars you trust is probably overkill.

I don't think it's really anything to worry about, as you point out, it should be reasonably safe at the moment. However, there are some pretty powerful API functions out there, that I don't want anybody else calling .

[Chorizotarian]

Problem is, I embedded both LibRpc and LibTrust, but libtrust doesn't seem to save anything. Only when I add the SavedVariables to the tOC it starts saving.

I found a problem with the embedding implementation (as in I hadn't provided one, oops). Fixed now. Here's a sample that works for me. (You'll need to change the char names in the source.)

[pipakin]

Interesting macro possibilities

like this one on the main char:

Code:

/invite ALT1
/invite ALT2
/invite ALT3
/invite ALT4
/rpc ALT1 AcceptGroup
/rpc ALT2 AcceptGroup
/rpc ALT3 AcceptGroup
/rpc ALT4 AcceptGroup

one button invite/accept that doesn't need a keybind

or my favorite, the dance party macro

Code:

/dance
/rpc ALT1 DoEmote dance party1target
/rpc ALT2 DoEmote dance party1target
/rpc ALT3 DoEmote dance party1target
/rpc ALT4 DoEmote dance party1target
/s Dance party time!
/rpc ALT1 SendChatMessage "Dance party time!"
/rpc ALT2 SendChatMessage "Dance party time!"
/rpc ALT3 SendChatMessage "Dance party time!"
/rpc ALT4 SendChatMessage "Dance party time!"

[Chorizotarian]

You shouldn't need to add the saved variables. The idea is that LibTrust saves the settings in it's own SavedVariables and you call the public API.

This is wrong apparently Libs can't have saved variables, so LibRpc needs to be an addon. Will be fixed in the next version (in progress).

[emgee]

the LibTrust seems to have an issue with special characters.
my shammies are named Akishâ, Akishá and Akishà
so i enter /trust allow Akishá
and it ends up beeing only Akish on the list

i also put them manually in the Lua file and they also show up in /trust list
but still i get "....answer from untrusted character Akishá..." etc

anyone experienced similar stuff or maybe even fixed it ?

[Chorizotarian]

Looks like there is a console issue with inputing special chars. In the next version you will be able to use "target", "party1", etc., which should fix it.

> i also put them manually in the Lua file and they also show up in /trust list but still i get "....answer from untrusted character Akishá..." etc

I'll look into this tomorrow and try to get you a fix.

[emgee]

you rock!

[Chorizotarian]

Found the problem:

Character classes follow the current locale set for Lua. Therefore, the class '[a-z]' can be different from '%l'.

http://www.lua.org/pil/20.2.html

I patched the LibTrust-0.1 zip linked at the top of the thread. Download a new copy and you should be all set.