Authors CurseForge

Just a note that this was referring to a standalone Lua environment not in-game.

You can't use explicit file io from wow (just in case that's where you were heading with this).

Quote from Brimmstone

Is there any way at all to write some sort of custom log-file in the game?

No, but honestly this is another basic feature they should have... make it with a delayed write and append only... but.... they really should put it in.

You could join a custom chat channel and output your log information to that channel. By enabling chat logging, you get a file with all your chat activity (and therefore also your log-channel). That log is written during gameplay.

Indeed, and writing an appending log file would of course be sandboxed to just be in one directory with the name of the addon being the base file name etc... so it would add almost no risks not already present.

Quote from Brimmstone

Interesting thought. Have you given consideration to the fact that we're already doing that with saved variables, and the code itself that you're downloading and installing? Or are you checking everything you download in some sort of text editor first?

Quote from twobits

Indeed, and writing an appending log file would of course be sandboxed to just be in one directory with the name of the addon being the base file name etc... so it would add almost no risks not already present.

The worst thing that a malicious addon author can do today is to keep adding huge strings of gibberish to a table, and then wait for the WoW client to write that table to disk as part of SavedVariables. No matter how big the table gets, it's tiny compared to the available disk space. At most, the table will use up the available memory and the player will have to restart the game.

If a malicious addon author can write directly to the drive, then they can just keep on appending data until the drive is filled, or until the file is large enough that the OS has problems with it. How many players would know what to look for to solve that problem, or even just to recover from it? We're not talking developers here, we're talking Grandpa and Grandson who enjoy questing together on the weekend being asked to find unusually large files in a subfolder that they didn't even know existed.

Even if it's sandboxed, you would have to have previously taken steps like isolating WoW to its own partition or other -- let's be honest -- unreasonable steps in order to safeguard against that. There are any number of ways to sort of prevent that, like size limitations monitored by the client, but (1) they probably would work most of the time but probably wouldn't be foolproof, and (2) they would likely eventually interefere with legitimate addons, because arbitrary restrictions eventually always do.

"Probably" does not make me feel warm and fuzzy about the security and stability of my computer. I think I'm just as happy knowing that addons can't see the drives. But that's just my opinion.

One of the biggest reasons WoW has avoided writing to files, especially in real-time, is to prevent botting. This won't be changing.

Quote from egingell

See, the thing is, the WoW client does that, not the addon author. The saved variables file is read into RAM, the addon(s) modify those variables while in RAM, and WoW dumps the data back to the file when the player logs out.

See the thing is , the OS does that, not the WoW client. The WoW client asked the OS to read the file into ram and the the WoW client asks the OS to dump the file to disk....

so.. umm. not really a logical difference we already have abstractiion layers.... and this point is not for any file writing anywhere on the system, it can be sandboxed .

Quote from Farmbuyer

The worst thing that a malicious addon author can do today is to keep adding huge strings of gibberish to a table, and then wait for the WoW client to write that table to disk as part of SavedVariables. No matter how big the table gets, it's tiny compared to the available disk space. At most, the table will use up the available memory and the player will have to restart the game.

If a malicious addon author can write directly to the drive, then they can just keep on appending data until the drive is filled, or until the file is large enough that the OS has problems with it. How many players would know what to look for to solve that problem, or even just to recover from it? We're not talking developers here, we're talking Grandpa and Grandson who enjoy questing together on the weekend being asked to find unusually large files in a subfolder that they didn't even know existed.

Even if it's sandboxed, you would have to have previously taken steps like isolating WoW to its own partition or other -- let's be honest -- unreasonable steps in order to safeguard against that. There are any number of ways to sort of prevent that, like size limitations monitored by the client, but (1) they probably would work most of the time but probably wouldn't be foolproof, and (2) they would likely eventually interefere with legitimate addons, because arbitrary restrictions eventually always do.

"Probably" does not make me feel warm and fuzzy about the security and stability of my computer. I think I'm just as happy knowing that addons can't see the drives. But that's just my opinion.

What about already being able to turn on the combat log? Solution here is to have a log rotation system built in the limits the length a file can be....

Quote from Allara

One of the biggest reasons WoW has avoided writing to files, especially in real-time, is to prevent botting. This won't be changing.

same solution as they use for the existing log writing, a buffer and delay

I'm guessing this would-be bot is actually a third party application, which can read files and push buttons.