OSSL notecard functions and threat level
- Handy Low
- Posts: 231
- Joined: Fri Nov 08, 2013 3:38 pm
- Location: Yorkshire, England
- Has thanked: 207 times
- Been thanked: 140 times
- Contact:
OSSL notecard functions and threat level
The following OSSL functions have a threat level of "very high":
osMakeNotecard()
osGetNotecardLine()
osGetNotecardLine()
osGetNumberOfNotecardLines()
Why is the threat level so severe? Is there any chance of it being reduced (ideally to "none")?
osMakeNotecard()
osGetNotecardLine()
osGetNotecardLine()
osGetNumberOfNotecardLines()
Why is the threat level so severe? Is there any chance of it being reduced (ideally to "none")?
- These users thanked the author Handy Low for the post (total 2):
- Min Tigerpaw • Kayaker Magic
Handy Low
- Ilan Tochner
- Posts: 6524
- Joined: Sun Dec 23, 2012 8:44 am
- Has thanked: 4986 times
- Been thanked: 4472 times
- Contact:
Re: OSSL notecard functions and threat level
Hi Handy,
Those are the default OpenSim threat levels. If they are set at this level it's probably because there is some grieffing attack vector that uses these functions for creating mischief.
Until we know what that vulnerability is, and can assess the threat it creates, we won't be changing those values from their default.
Those are the default OpenSim threat levels. If they are set at this level it's probably because there is some grieffing attack vector that uses these functions for creating mischief.
Until we know what that vulnerability is, and can assess the threat it creates, we won't be changing those values from their default.
- Handy Low
- Posts: 231
- Joined: Fri Nov 08, 2013 3:38 pm
- Location: Yorkshire, England
- Has thanked: 207 times
- Been thanked: 140 times
- Contact:
Re: OSSL notecard functions and threat level
Thanks, Ilan. It's hard to imagine any kind of griefing that involves (say) counting the lines in a notecard (especially when you can do that anyway with native LSL functions, just in a messier way), but I take your point.
Handy Low
- Ilan Tochner
- Posts: 6524
- Joined: Sun Dec 23, 2012 8:44 am
- Has thanked: 4986 times
- Been thanked: 4472 times
- Contact:
Re: OSSL notecard functions and threat level
Maybe each such access to a notecard requires a database query and allowing it can enable easy DOSing of the sim by creating hundreds of objects constantly calling these functions (I'm just guessing). In any case, some OpenSim developer obviously saw a way this can be abused or else the threat level for these functions would have been set much lower.
- Handy Low
- Posts: 231
- Joined: Fri Nov 08, 2013 3:38 pm
- Location: Yorkshire, England
- Has thanked: 207 times
- Been thanked: 140 times
- Contact:
Re: OSSL notecard functions and threat level
Yes, perhaps the event-based design of the native LSL notecard functions acts as a fence to that sort of attack.
Handy Low
- Min Tigerpaw
- Posts: 223
- Joined: Sun Mar 24, 2013 3:52 pm
- Has thanked: 332 times
- Been thanked: 160 times
Re: OSSL notecard functions and threat level
What are the consequences of a OSSL-function being rated with a high threat level?
They seem to work without problems in Kitely and OS-grid e.g. in my recently launched "MT College Board" and are extremely useful; however some grids lioke Meta apparently has put restrictions on their use (which is an issue for exportable stuff).
I'm using the osNotecard functions for some of my scripted builds and intend to do that more as they are really very useful.
Hope there are no plans to restrict those functions in Kitely and osGrid as they are key to my new videoplayer and other script-projects. It's really nasty if you can't save data to a notecard via script as in SL - for me a clear plus and differentiator for Kitely/OpenSim vs SL.
They seem to work without problems in Kitely and OS-grid e.g. in my recently launched "MT College Board" and are extremely useful; however some grids lioke Meta apparently has put restrictions on their use (which is an issue for exportable stuff).
I'm using the osNotecard functions for some of my scripted builds and intend to do that more as they are really very useful.
Hope there are no plans to restrict those functions in Kitely and osGrid as they are key to my new videoplayer and other script-projects. It's really nasty if you can't save data to a notecard via script as in SL - for me a clear plus and differentiator for Kitely/OpenSim vs SL.
- These users thanked the author Min Tigerpaw for the post (total 2):
- Graham Mills • Constance Peregrine
- Handy Low
- Posts: 231
- Joined: Fri Nov 08, 2013 3:38 pm
- Location: Yorkshire, England
- Has thanked: 207 times
- Been thanked: 140 times
- Contact:
Re: OSSL notecard functions and threat level
Unless I'm mistaken, the OSSL notecard functions (and others with a high threat level) will only work in objects belonging to the owner of the region they're in.
- These users thanked the author Handy Low for the post:
- Ilan Tochner
Handy Low
- Min Tigerpaw
- Posts: 223
- Joined: Sun Mar 24, 2013 3:52 pm
- Has thanked: 332 times
- Been thanked: 160 times
Re: OSSL notecard functions and threat level
Hmm... thought I had checked, that with my alt the used osNotecard functions were working (at least some weeks ago) - and that they also worked in a sandbox of another grid - need to ckeck again!Handy Low wrote:Unless I'm mistaken, the OSSL notecard functions (and others with a high threat level) will only work in objects belonging to the owner of the region they're in.
If what you describe is what it really is - then it's a bit scary from my view:
Let's say someone uses my MT Colllege Board at a teaching grid where he/she is not the grid-owner he/she will not be able to save what was created on the board
or
If a approved user , of my upcoming videoplayer, who is not the owner of the player, wants to save a playlist he/she will not be able to do so
If a future furniture with multipose seating autosaves to a notecard this will not work if it's not placed on the owners grid and used be the owner.
Let's wait until I've checked if the restrictions really are as described - if so:
As these are serious restrictions for developing OpenSim towards a good interactive experience I heavily vote for a review of these ratings (or the consequences for this rating). I can't imagine that the alternative - to allow scripts to use an external server to save in game data - is a more safe approach against griefing.
- These users thanked the author Min Tigerpaw for the post:
- Handy Low
- Handy Low
- Posts: 231
- Joined: Fri Nov 08, 2013 3:38 pm
- Location: Yorkshire, England
- Has thanked: 207 times
- Been thanked: 140 times
- Contact:
Re: OSSL notecard functions and threat level
I completely agree, Min. The inability to save data persistently (aside from reusing prim parameters such as description) has been to my mind one of the most frustrating shortcomings of LSL scripting in SL, and it's a huge shame that OpenSim doesn't address this in a portable manner without changing OpenSim.ini.
Saving data "in the cloud" may be fashionable at the moment, but it's a horrible solution to this particular issue.
Saving data "in the cloud" may be fashionable at the moment, but it's a horrible solution to this particular issue.
Handy Low
- Ilan Tochner
- Posts: 6524
- Joined: Sun Dec 23, 2012 8:44 am
- Has thanked: 4986 times
- Been thanked: 4472 times
- Contact:
Re: OSSL notecard functions and threat level
Hi Min,
OpenSim requires such high threat level scripts to be run by the region owner not the grid owner. Bought items will therefore work in your customers' own Kitely worlds and in the regions they have connected to other grids. This is default OpenSim behavior, we haven't changed it - the only parameter that changes between different grids is what threat level is set as the maximum which is allowed for non region owners (or parcel owners, etc.). See: http://opensimulator.org/wiki/Threat_level and http://www.kitely.com/virtual-world-new ... supported/
OpenSim requires such high threat level scripts to be run by the region owner not the grid owner. Bought items will therefore work in your customers' own Kitely worlds and in the regions they have connected to other grids. This is default OpenSim behavior, we haven't changed it - the only parameter that changes between different grids is what threat level is set as the maximum which is allowed for non region owners (or parcel owners, etc.). See: http://opensimulator.org/wiki/Threat_level and http://www.kitely.com/virtual-world-new ... supported/