Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove moduledownloader to avoid RCE. #1562

Merged
merged 1 commit into from
Nov 27, 2020
Merged

Remove moduledownloader to avoid RCE. #1562

merged 1 commit into from
Nov 27, 2020

Conversation

gibbed
Copy link
Contributor

@gibbed gibbed commented Nov 25, 2020
edited
Loading

What does this PR do?

This removes moduledownloader functionality which is used to download missing modules from a remote server (default packagesrv.com).

How does this PR change Premake's behavior?

Premake will no longer attempt to download missing modules.

Anything else we should know?

The domain that moduledownloader is pinging and grabbing missing modules from (packagesrv.com) had lapsed and expired, moduledownloader is implemented in such a fashion that it does not securely download and install modules. This would lead to a remote code execution. @JoelLinn has registered the domain to prevent any bad actors from taking advantage of this situation, but this is only a bandaid fix.

Please refer to #1381.

Did you check all the boxes?

  • Focus on a single fix or feature; remove any unrelated formatting or code changes
  • Add unit tests showing fix or feature works; all tests pass
  • Mention any related issues (put closes #XXXX in comment to auto-close issue when PR is merged)
  • Follow our coding conventions
  • Minimize the number of commits

samsinsane
samsinsane approved these changes Nov 26, 2020
View reviewed changes
Copy link
Member

@samsinsane samsinsane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll leave this for @starkos to merge.

@starkos starkos merged commit 67f5bd1 into premake:master Nov 27, 2020
@gibbed gibbed deleted the remove-moduledownloader branch November 27, 2020 20:25
@JoelLinn JoelLinn mentioned this pull request May 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samsinsane samsinsane samsinsane approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gibbed @samsinsane @starkos