It seems there is an issue where compiled scripts are stored, not as individual assets, but as part of SOG/SOP.
That should never have happened, but it has. For the moment, TrustBinaries=false is your solution, but watch for changes! - Melanie ---- On Sat, 16 Oct 2021 00:19:09 +0100 Asaff Belfer <asa...@gmail.com> wrote ---- Hello, I have checked and found that our simulators were set with TrustBinaries = true I have reverted that setting in a simulator that displayed an exception about method not found when loading and now it has loaded WITHOUT any exception. As we suffer similar problems in other locations, I will make sure that all the simulators are set the same and will update if that has resolved the issue completely. I still don't understand what actually happened that caused it. If the LSL script syntax has not changed and the asset servers are storing only LSL code but not a compiled code and also there is no previous script engine compiled code from previous simulator versions - what could trigger that exception? Thanks, Asaff On Sat, Oct 16, 2021 at 1:37 AM Melanie <mailto:mela...@t-data.com> wrote: > I have checked the code, extensively. I did find an exploit where a > carefully crafted yobj file could be instrumented to create a DOS attack or > a nuisance attack and I'm looking into how to fix that issue. > > > > However, I also did check the YEngine code, and compiled scripts are most > certainly NOT stored as binaries in assets in the grid server or local > asset store. The asset server only ever sees scrpt source, we do NOT create > assets of type LSLBytecode or any other type containing compiled scripts. > Compiled scripts are only ever stored on the local hard disk. They are also > sent alongsode other region transfer info, but they never become assets. > > > > For the moment, grids that either allow region connections or HG are well > advised to keep TrustBinaries off, I have to retract my previous statement > about safety in YEngine after finding that exploit vector. > > > > For now, TrustBinaries=true is ONLY recommended for walled gardens > allowing neither external regions nor hypergrid. > > > > However, compiled scrips are NOT stored as assets. In fact the very > functions that deal wth them are absolutely unable to handle anything other > than local files. > > > > - Melanie > > > > > ---- On Fri, 15 Oct 2021 22:22:33 +0100 Leal Duarte <mailto:ajldua...@sapo.pt> > wrote ---- > > > Did TrustBinaries = false fixed the issue? > > As you did observe, TrustBinaries is not only a major security problem, > it also forces the use of binary code wrongly stored on the asset at grid. > > so the only fix with TrustBinaries = true, is manual inworld recompile. > > 0008026: "Runtime Error in script... Could not load type 'list' from > assembly..." Script fails to function - MantisBT (opensimulator.org) > <http://opensimulator.org/mantis/view.php?id=8026> > > you can not set it true after a upgrade. A rez from inventory will > trigger the issue again. > > Ubit > > > On 14-Oct-21 14:54, Asaff Belfer wrote: > > Hello, > > > > I don't mind setting TrustBinaries = false as our grid is a "walled > > garden" so there will not be cases of untrusted binaries entering our > > system. > > > > I still don't understand how could new compiled code generate this error. > > > > I'm starting to think that there is something in the old LSL code that > > somehow gets fixed when the LSL code is saved again. > > > > Thanks, > > Asaff > > > > > > On Thu, Oct 14, 2021 at 1:50 PM Melanie <mailto:mailto:mela...@t-data.com> > wrote: > > > > TrustBinaries is safe in regions using only YEngine. That is > > because the compiled YEngine scripts are not actually binaries, > > they are not DLLs. They are just a preparsed AST to save the > > compiler some work, but that AST is used to generate the binary > > code on the receiving side. > > > > > > > > With XEngine, TrustBinaries would let other regions send actual > > DLLs, which would be dangerous. With YEngine, it's perfectly safe. > > > > > > > > - Melanie > > > > > > > > > > > > > > ---- On Thu, 14 Oct 2021 11:37:15 +0100 Leal Duarte > > <mailto:mailto:ajldua...@sapo.pt> wrote ---- > > > > > > Make sure you have TrustBinaries = false in opensim.ini > > > > That should never be true except on a few use cases. > > > > Ubit > > > > > > On 13-Oct-21 15:56, Asaff Belfer wrote: > > > But this is just it. > > > The simulators were not upgraded. They were re-installed in a > > different > > > folder so it's a completely new installation. > > > > > > Could it be that there is a C# or a compiled code stored inside > > the assets > > > server? > > > > > > Asaff > > > > > > > > > > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > >> > > > בלי > > > וירוסים. www.avast.com <http://www.avast.com> > > > > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > >> > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > > > > > On Wed, Oct 13, 2021 at 5:00 PM Leal Duarte > > <mailto:mailto:mailto:ajldua...@sapo.pt> wrote: > > > > > >> Hi, > > >> > > >> Yes on a major upgrade you should delete folder > > >> .../bin/ScriptEngines so all scripts are compiled and > > initialized again. > > >> > > >> Ubit > > >> > > >> > > >> On 13-Oct-21 11:23, Asaff Belfer wrote: > > >>> Hello everyone, > > >>> > > >>> We've recently upgraded our grid to version 0.9.1.1. We found > > out that > > >> some > > >>> scripts generate exceptions. These exceptions seem to go away > when > > >> editing > > >>> the LSL script and saving again (it could be a minor change > > like a space > > >>> somewhere). > > >>> > > >>> Here is an example of the exception that we get: > > >>> > > >>> [03:21] System.Reflection.TargetInvocationException: Exception > > has been > > >>> thrown by the target of an invocation. ---> > > >> System.MissingMethodException: > > >>> Method not found: 'LSLString > > >>> > > >> > > > > OpenSim.Region.ScriptEngine.Shared.ScriptBase.ScriptBaseClass.llKey2Name(System.String)'. > > >>> at SecondLife.XEngineScript.init() > > >>> > > >>> at SecondLife.XEngineScript.default_event_state_entry() > > >>> > > >>> --- End of inner exception stack trace --- > > >>> > > >>> > > >>> > > >>> Server stack trace: > > >>> > > >>> at System.RuntimeMethodHandle.InvokeMethod(Object target, > > Object[] > > >>> arguments, Signature sig, Boolean constructor) > > >>> > > >>> at > > System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object > > >> obj, > > >>> Object[] parameters, Object[] arguments) > > >>> > > >>> at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, > > >> BindingFlags > > >>> invokeAttr, Binder binder, Object[] parameters, CultureInfo > > culture) > > >>> > > >>> at System.Reflection.MethodBase.Invoke(Object obj, Object[] > > >> parameters) > > >>> at > > >>> > > >> > > > OpenSim.Region.ScriptEngine.Shared.ScriptBase.Executor.ExecuteEvent(String > > >>> state, String FunctionName, Object[ > > >>> > > >>> > > >>> Did anyone else have problems with scripts from previous > > versions like > > >> this? > > >>> thanks, > > >>> Asaff > > >>> > > >>> > > >>> < > > >> > > > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > > > >>> בלי > > >>> וירוסים. www.avast.com <http://www.avast.com> > > >>> < > > >> > > > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > > > >>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > >>> _______________________________________________ > > >>> Opensim-users mailing list > > >>> mailto:mailto:mailto:Opensim-users@opensimulator.org > > >>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > > >> _______________________________________________ > > >> Opensim-users mailing list > > >> mailto:mailto:mailto:Opensim-users@opensimulator.org > > >> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > > >> > > > _______________________________________________ > > > Opensim-users mailing list > > > mailto:mailto:mailto:Opensim-users@opensimulator.org > > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > > _______________________________________________ > > Opensim-users mailing list > > mailto:mailto:mailto:Opensim-users@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > > _______________________________________________ > > Opensim-users mailing list > > mailto:mailto:Opensim-users@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > > > _______________________________________________ > Opensim-users mailing list > mailto:mailto:Opensim-users@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > _______________________________________________ > Opensim-users mailing list > mailto:Opensim-users@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > _______________________________________________ Opensim-users mailing list mailto:Opensim-users@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users _______________________________________________ Opensim-users mailing list Opensim-users@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
