More features, but possibly controversial

As you'll probably note, there's now a RPGMaker Trans "latest version" thingy at the top of the page, in preparation for a launch soon. Hopefully I'll be able to make the style look a bit better at some point, but that's not important presently.

The latest version part is a little scheme I've cooked up to try and minimise support headaches for me. I have my suspicions that some problems that people had with older versions of RPGMaker Trans was because they used outdated versions. Hence new versions of RPGMaker Trans will check to see if updates are available by looking up this blog - this is one of the other advantages of moving off Hongfire. If an update is available, then RPGMaker Trans will notify the user and will not run until the update is applied. Or as far as that is possible; in practice a user can get around this by simply deleting or editing the configuration file, or blocking RPGMaker Trans with a firewall. There will also be a clause in the RPGMaker Trans license which means that users are only authorised to run the latest version of RPGMaker Trans, so hopefully ethical people will heed the new rules.

On the subject of license changes, I've redone the redistribution clause. The new clause actually works from a legal point of view (the old one did not specify the license that people with a redistributed copy should use, and so did not work), but also there is a requirement to get permission from me first. This is mainly so that I can have a list of people to e-mail updates to, again to minimise support headaches.

... Actually, when I say support headaches, I also mean "serious security flaws". There is a concerning attack vector in older versions of RPGMaker Trans, given it's usage case. Potentially,  it is possible to create a game which can execute pretty much any code when fed through RPGMaker Trans; this could be of concern to unauthorised translations when the creator really strenuously objects, but also if there's just some malicious person wanting to expand a botnet or something. Whilst I've got the solution to this hole planned out and nearly implemented, I think it's wise to get some form of centralisation so I can get updates out in a timely fashion, in case there's some other problem.

And for reference, I'm not being spiteful and making up this security hole because I object to other people sharing the present version of RPGMaker Trans, despite my request not to. I'm not going to be disclosing the problem quite yet (as it would be irresponsible of me to do so when users have no way of fixing the problem), but there will be a full disclosure of the problem once the new version is out.

EDIT: As an addendum, patch files can also be used to exploit the flaw (thanks for the question, Matt). I mentioned game files simply because there is a translation project going on which I'm pretty certain isn't approved of by the creators, and so I think this is perhaps the more likely place for the attack to happen from.


Comments powered by Disqus