Skip to content
This repository has been archived by the owner on Dec 11, 2022. It is now read-only.

Broadcast required mod downloadlink #58

Closed
wants to merge 2 commits into from

Conversation

uniboi
Copy link

@uniboi uniboi commented Apr 14, 2022

I love it when servers rely on mods that you can't find on Thunderstore.
Depends on R2Northstar/NorthstarMods#309 and R2Northstar/NorthstarLauncher#146

@GeckoEidechse
Copy link
Member

Wait, is this just accepting any link by the gameserver as the download source? This could be really bad if a malicious entity makes a server with a "common" required mod (there's barely servers that require extra mods atm but that might chance with this PR) but adds a malicious download link.

It would probably be better if we grab the Thunderstore link of a mod based on its name directly from Thunderstore to prevent linking to malicious sources.

Of course this doesn't prevent malicious mods but that's a separate issue.

@ASpoonPlaysGames
Copy link
Contributor

Yeah I'd say that trusting a download link that can be easily directly edited by a malicious user is a bad plan

It would probably be better if we grab the Thunderstore link of a mod based on its name directly from Thunderstore to prevent linking to malicious sources.

Get the download link from the mod name and version combined, that's what thunderstore uses to make sure things are unique, so we should probably mimic that behaviour

@ASpoonPlaysGames
Copy link
Contributor

ASpoonPlaysGames commented Aug 20, 2022

Just for some clarification:

A thunderstore download link is like this: https://northstar.thunderstore.io/package/download/<team>/<package_name>/<version>/

A thunderstore package page link is like this
https://northstar.thunderstore.io/package/<team>/<package_name>/

Unfortunately, we don't have the package name or team in the mod.json anywhere, at least we don't have anything that we can guarantee matches

@uniboi
Copy link
Author

uniboi commented Aug 20, 2022

We should really start developing an approval mechanism for mods like a web dashboard and the infrastructure

@pg9182
Copy link
Member

pg9182 commented Oct 22, 2022

Superseded by #87.

@pg9182 pg9182 closed this Oct 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants