- 607
- @home
Necroing about safety from a couple of post ago! Here something about safety copy/paste, from X4fab Patreonsite, how small it looks who knows it can be helpfully:
Sadly, it looks like we’re starting to see some bad-faith modders in the community. So, I thought I’d make a small post with a few recommendations, and work on making CSP a bit safer.
First of all, please keep an eye on the type of content you’re installing, and if you’re not using Content Manager to install a mod (or if it’s being installed as a generic mod), glance through the files to see what actually is being added. If it’s something like a new car, or something else contained within the “content” folder, it’s perfectly safe. But if a mod adds anything to “apps”, “extension”, “launcher”, “plugins”, “server” or “system”, or if it includes any DLL (or EXE for you to run), such a mod can, potentially, do anything it wants on your system, so please check those mods thoroughly. Especially if it’s a stolen mod: those are sometimes repacked by third parties, so some of the files might be edited.
With the original Assetto Corsa, there are plenty of ways a mod could add its own logic. Apart from obvious stuff like including its own version of Reshade DLL or adding a new Python app, they could also alter launcher logic, add a new AC plugin, adjust one of JS files loaded by the original launcher, swap Python libraries (either standard or AC ones). And, to be clear, the original Python apps of Assetto Corsa can do anything they want. If anything, they can do a whole lot more compared to Lua apps, but those also have pretty much no limits. And when it comes to this type of thing, if a script can as much as simply save a file somewhere within the Assetto Corsa folder, that’s already more than enough to compromise data files.
Now, Custom Shaders Patch adds a lot of other types of scripts for all sorts of tasks. Ever since adding script support to Content Manager (which allowed us to have much nicer, if static, weather conditions back in the day), I was always fascinated by how much flexibility can be achieved with a simple Lua script. But, the way the whole thing is currently set, those scripts aren’t a weaker alternative to Lua apps. If anything, Lua apps are the weak ones, with delayed loading, and sometimes loading skipped altogether. A specialized script — such as Pure (a great WeatherFX style by Peter Boese) — loads first, and has full access to your file system and other processes! So, all the scripts you’re installing explicitly (with CM warning you about potential dangers), and going to CSP settings to enable explicitly — including post-processing scripts, GamepadFX scripts and more — all can do pretty much anything. That’s how Pure can edit configs and load extensions, how Curved Monitor filter can export settings, it allows for Mobile GamepadFX script to exchange data with the phone, or for Wooting keyboard script to read analog values from those keyboards. It also allows for traffic mode to load missing assets, and more.
There are only three exceptions: car scripts (both regular and physics), track scripts and, of course, online scripts. Those are the scripts you might not be aware of installing, and they are fully sandboxed and can’t really do anything like saving files.
In the next update, I’ll add something for CSP to ask each time before starting a new script with full files access, and something for scripts to opt-out of that access. But even with that addition, I ask you to still be cautious — a malicious mod could always find a way to circumvent some of these protections, like replacing a config of another mod changing its behavior in a potentially threatening way. Using Content Manager to install mods and keeping an eye on its warnings should be enough though.
For extra safety, I’m also going to add some settings for blocking out scripts entirely, and maybe something that would prevent sandboxed scripts from accessing the internet (although, that might break some things like Android Auto or online scripts).
If it is illegal to post this, let me know then I will delete it! Please moderators do not ban me, think it's safety first?
Sadly, it looks like we’re starting to see some bad-faith modders in the community. So, I thought I’d make a small post with a few recommendations, and work on making CSP a bit safer.
First of all, please keep an eye on the type of content you’re installing, and if you’re not using Content Manager to install a mod (or if it’s being installed as a generic mod), glance through the files to see what actually is being added. If it’s something like a new car, or something else contained within the “content” folder, it’s perfectly safe. But if a mod adds anything to “apps”, “extension”, “launcher”, “plugins”, “server” or “system”, or if it includes any DLL (or EXE for you to run), such a mod can, potentially, do anything it wants on your system, so please check those mods thoroughly. Especially if it’s a stolen mod: those are sometimes repacked by third parties, so some of the files might be edited.
With the original Assetto Corsa, there are plenty of ways a mod could add its own logic. Apart from obvious stuff like including its own version of Reshade DLL or adding a new Python app, they could also alter launcher logic, add a new AC plugin, adjust one of JS files loaded by the original launcher, swap Python libraries (either standard or AC ones). And, to be clear, the original Python apps of Assetto Corsa can do anything they want. If anything, they can do a whole lot more compared to Lua apps, but those also have pretty much no limits. And when it comes to this type of thing, if a script can as much as simply save a file somewhere within the Assetto Corsa folder, that’s already more than enough to compromise data files.
Now, Custom Shaders Patch adds a lot of other types of scripts for all sorts of tasks. Ever since adding script support to Content Manager (which allowed us to have much nicer, if static, weather conditions back in the day), I was always fascinated by how much flexibility can be achieved with a simple Lua script. But, the way the whole thing is currently set, those scripts aren’t a weaker alternative to Lua apps. If anything, Lua apps are the weak ones, with delayed loading, and sometimes loading skipped altogether. A specialized script — such as Pure (a great WeatherFX style by Peter Boese) — loads first, and has full access to your file system and other processes! So, all the scripts you’re installing explicitly (with CM warning you about potential dangers), and going to CSP settings to enable explicitly — including post-processing scripts, GamepadFX scripts and more — all can do pretty much anything. That’s how Pure can edit configs and load extensions, how Curved Monitor filter can export settings, it allows for Mobile GamepadFX script to exchange data with the phone, or for Wooting keyboard script to read analog values from those keyboards. It also allows for traffic mode to load missing assets, and more.
There are only three exceptions: car scripts (both regular and physics), track scripts and, of course, online scripts. Those are the scripts you might not be aware of installing, and they are fully sandboxed and can’t really do anything like saving files.
In the next update, I’ll add something for CSP to ask each time before starting a new script with full files access, and something for scripts to opt-out of that access. But even with that addition, I ask you to still be cautious — a malicious mod could always find a way to circumvent some of these protections, like replacing a config of another mod changing its behavior in a potentially threatening way. Using Content Manager to install mods and keeping an eye on its warnings should be enough though.
For extra safety, I’m also going to add some settings for blocking out scripts entirely, and maybe something that would prevent sandboxed scripts from accessing the internet (although, that might break some things like Android Auto or online scripts).
If it is illegal to post this, let me know then I will delete it! Please moderators do not ban me, think it's safety first?
Last edited:
still I would like to find the solution!
