Putting skins into the interface folder is bannable
 

If this is bannable why do we let ppl upload the work here.. I heard that downloading addons like

http://www.wowinterface.com/download...48-AI-Art.html

you can be perma banned for putting those into the interface folder.

So now it stands.. Is there a way some1 can clean this pack up and have it properly put into the addons folder? This way its pure legit and not putting people on the line everyday to being banned...

Changing in-game models is bannable, not UI art.

/facepalm

Here we go again.

It's not against the rules. As others have said, modifying the game files is. Anything that happens within the Interface folder is perfectly allowed.

If blizzard didnt like it they would have removed it a long time ago,
just look at how fast AVR got blocked.

If Blizzard didn't like it, they'd remove the ability for the overrides to work. They did it, in fact, with cursor modifications in earyl Wrath - around patch 3.0.8 or 3.0.6, cursor replacements just stopped working.

Artwork replacements for UI panels should be considered allowed until Blizzard makes them not work anymore. :>

replacing "...\World of Warcraft\Data\Sound" with empty sound files seams to be allowed to!

I've done that millions of times.

And of course, everybody does font overrides in the "Fonts" folder... :>

I've even seen people override the default Unit Frames using Lua and/or XML...

/me ducks

As the others have mentioned, you are confusing two different things. Changing in-game models (making rogues all look like ninjas, or trolls look like frogs, or dungeon walls invisible, or spiders look like rabbits, or female Night Elves look naked, etc) is a bannable offense. Changing UI art is not. Two completely separate things. That's why we allow people to upload the latter to the site. :)

Just to clarify, adding files to the game folder to modify what Blizzard lets us through such method is ok. Editing the data MPQ files to bypass this restriction is not ok.

Some time ago you could make a MPQ file and load custom models into the game, at that point the TOS made this bannable offense and you'd get banned if discovered by warden.

Today it's limited by the game itself, you'd have to hack/modify the game to make it work and warden would find that out at some point, and as far as I know, wowinterface do not allow executable so chances that someone releases something against the TOS is very very slim. :)

This brings me to a second question to Cairenn; why is the Leatrix Latency Fix allowed to post a exe? The vbs I got, but the exe is compiled. Nor are the sources available anymore, so I think you should look into it. I know Leatrix is a nice guy and I can trust him, but still I think more would feel safer it it was readable and not an exe. ;) Not to mention lack of consistency!

Notice which category it is in? Tools and Utilities. It's not an addon.

It's also in our upload rules:

Consistency continues.

Hmm, I see. But there are still chances you have a mole in your moderator team that makes a deal with a hacker to flag an tool safe while it in fact contains key-logging software, or somehow disguise the decompiled files/sources, so you don't see the real threat. Then users just have to trust it's safe but never be able to check it themselves, when there are no sources accompanying the exe! What do you say to that? :confused:

This is going way off-topic now, Vladinator you should probably contact an admin through PM for these sort of concerns. :) Regardless, if you don't trust us/the uploader, then you simply shouldn't run an executable.

If anyone has anything else to add to the topic then feel free.

I would like to add cookies.

The end of the last post was on purpose exaggerated. :P

I know, enough off-topic from me here... /wave

alright... I don't think we need to take this any further... :p The OP has been corrected, and we don't need to do it 5 more times. ;)

Okay, I know Seerah closed this thread, but I'm going to override her decision because I feel that something that was said needs to be addressed and responded to, publicly.

I realize that this is, as you said yourself in a later post, that this was an exaggeration. However I feel that it should be responded to, not necessarily for your benefit Vladinator, but for other users who may not know us as well and are possibly suddenly finding themselves concerned because of your example. So, without further preamble:

We (MMOUI) have been running User Interface Customization sites for over nine (9) years now. We have seven sites covering eight games. Over the years we have built a sterling reputation with both the game companies themselves and with the users of our sites. We are Official Fan Site Program members for every single game we support. In many cases we are the only Official UI Fan Site for a game. In one case our site is actually linked to, and searches can be done on it, from within the game itself. Between all of our sites, we've got close to a million registered users. Given that we don't require registration to download from our sites, you can be sure that the actual number of users (both registered and not) is exponentially higher. That is a lot of trust placed in us, trust earned by a lot of hard work over a lot of years. No one has ever been hacked as a consequence of using our site or any addons downloaded from any of our sites. Ever.

In those nine years, we have had only one single instance of one of our sites being compromised. The two compromised files were quarantined in less than two hours after being infected. The entire incident was completely resolved in less than six hours. The hole that the malicious programmers found got closed and additional safety protocols were put in place. Also, we were extremely upfront about the fact that the compromise had occurred, with a major announcement on the front page of our site, links to the announcement on the various social networks, full explanation of what the malicious files were, how to find them and how to clean them from your system if you happened to have gotten either of the infected files before we got them locked down.

Every single file that is uploaded to, or updated on, any of our sites go through numerous steps before they are ever made available for the general public to download;

• they are manually opened by site staff and checked to make sure there are no executables;
• they are manually virus scanned by site staff;
• the description and screenshots are manually scrutinized by site staff;
• an MD5 hash is automatically generated by our system and applied on upload/update; and
• a SHA hash is automatically generated by our system and applied on upload/update.

Only after a file has gone through and passed all of those steps is it released for download.

(This next part applies specifically to your hypothetical situation, where we've got a "mole" in our moderation team)

Every night, there are automatic steps that all files in our database go through:

• automatic virus scans;
• the MD5 and SHA hashes are verified.; and
• there are other safety protocols in place as well, but no point letting the malicious programmers know everything we are doing to protect our sites and our users.

As well, we periodically pick a random file that has an executable and put it through the same scrutiny that it went through the first time it was uploaded. This includes us de-compiling it, getting the source code, running it in a 'safe' environment and watching the processes, if it makes any 'outside' connections, etc.

Yes, it is important to be careful when downloading things, but that doesn't mean that every executable is automatically malicious, nor that every site is rife with malware. Yes, any site can be infiltrated. That has been proven, very dramatically, this year. That includes the site on which we are currently having this discussion. All we (everyone using the internet) can do is try our best to be sensible.

When it comes right down to it, though, if you are that uncomfortable, then just don't download and use it. Or else run it through your own virus scans. Or ... It's not like any of the files we are talking about are absolutely necessary for you to have. And the only way you can ever be truly safe when using the internet ... is to just not use the internet.

Finally, that was a very insulting thing to even joke about, concerning our moderation team. You've been a member here for 6 years, you know better than that. They are fantastic people that give freely of their time to make sure this site stays as great as it is, for all of our users.

tl:dr = Don't be stupid when using the internet. Use sites you can trust, that have a proven track record of doing everything they can to protect their site and users. Check the stuff you download.

Not to mention that your post was *entirely* out of line and insulting. You've been a member here for almost 6 years. You and the rest of our community (I hope) know what we do for you here day in and day out, and how committed we are.

Irregardless of whether you intended for your comment to be "exaggerated" or not, it did not come off as such. And it hurts to see those things said and (even hypothetical) accusations levied.

Please don't be offended
 

I may be a *n00b* as far as my length of being a registered member but I have been a huge fan of this site for most of my 6+ yrs of WoW play. I recommend this site to my guildmates and other players on a daily basis. This site is linked countless times over on the WoW forums.

While I would like to think the reply from Cairenn would have been generated had it have been anyone's post(not because they're a longtime member) .. but it certainly does address concerns many players have (malicious stuff in downloads).

The reassurance contained in Cairenn's reply is noteworthy on such a huge scale to so many users of this site.. it will be very hard to resist the "copy & paste" or "link" to this post when responding to the negatives I come across on various other forums regarding "downloading addons". Not only is Cairenn's response eloquently put and easily understood .. but also portrays heartfelt efforts of this community.

Thank you for the kind words, Helln-HiHeels. It's always nice to hear that people like us enough to direct other users to our site! :)

Yes, the post would have been (and in fact is) posted regardless the person it is 'directed' at. I have posted basically the same thing on other forums every time people get going about how dangerous addons are, how you can't trust the 3rd party sites that host addons, etc.

Trying to reassure users is exactly why I overwrote Seerah's decision to close the thread, and indeed our usual rule of not allowing topics to get so far off track. I just felt that it was really important to respond to the 'exaggerated' example that was posted, for exactly that reason - reassuring people.

Absolutely no reason for you to resist. Go for it. The more people are educated, the better it is for everyone. :)

*hugs Helln_HiHeels*

In all honesty, running within the parameters Blizzard allows us through the addon system, there can be some nasty code if someone knew what they were doing.

For example, I've had a private project that would prove the concept of being able to remotely run Lua code on another player's machine. The addon code ran similar in the way a trojan virus does. The user would unwittingly install the code and have it run. While running, the addon would allow remote access to the host system and wait for additional code to be sent from a remote source for it to execute. Unlike a normal computer virus, there is no way for addon code to propagate itself to infect other machines or even other addons on the same machine.

For security purposes, I've kept the code to myself and integrated a secure login system so nobody else could take advantage of it while I was testing. The person I ran the test with as a host is a RL friend who fully agreed to assist me in the test, and in fact, supplied me with different things he wanted to see me make his character do. I supervised the removal of the code from his machine afterward.

Being run as a pure WoW addon, there were still the same limitations on the code I could have run. However, nothing could stop such code from being able to send the game into an infinite loop, causing it to freeze, messing with the UI, or read the WoW API to track player status and location. This would be among the usual list addons can do including the ability to send chat and emotes through the host player, spy on communications to and from the player, direct access to bags/inventory and in specific circumstances, player/guild banks, mail, guild control, etc.

A lot of damage can be done in-game from such an addon, but once found, it'll be as easy to remove as deleting the code and restarting WoW. and because of the nature of the WoW environment, an addon is unable to access anything outside of the game.

What you've done is nothing new, it's something that has been the case since the day the system came out. As you've pointed out, there is no way for the addon to propagate itself. Beyond that, most of the actions that have long-lasting negative effects for your character cannot be accomplished without hardware events. This is an intentional limitation built-into the API that requires the player to press a key binding or click a button in order to initiate or confirm the change. Destroying items, disenchanting items, trading, selling to a vendor, mailing, should all require hardware events.

So, yes, you can do things like lock someone's client if they happen to install an addon that allows for remote code execution. This is precisely why we have such stringent requirements at wowinterface and why we continue to review each new file by hand. While there's no guaranteed way to make sure that we catch every possible problem, we do a damn good job of keeping nonsense like this from being available on our site.

Just wanted to clear up what seemed to be quite a dramatic over-reaching post.

Considering how both Cairenn and Seerah reacted to my post, I realize that probably more people have been offended by it, than taken it like a exaggerated "what if" situation and gotten a few chuckles because of the silliness of it all.

It was a silly post that only did more bad than good, so I'd wanted to take a moment to apologize and correct my wrongdoing by saying that I truly appreciate the team working on this site, and that I have never doubted anyone -I have no reason to. The only emotion I'd like to convey is gratitude, so it hurts me too to see that you guys got offended by what I said, it was not the intention at all.

I am not proud of this misunderstanding, and I'd like to put this behind me.

Thank you for that Vlad. Apology accepted, at least on my part.

For security concerns, I'm not going into details. I'll just say some functions aren't as protected as you think while the rest weren't listed in my post for this very reason.

I have no intent on disputing the work of the WoWInterface staff. I admire the effort everyone has made thus far. I'm just pointing out what is possible and I have personal experience in the coding and testing of an addon that has done this.

However dramatic, it is still quite possible, and the fact that I've never found any record of an incident like this has ever happening means everyone's been doing a great job in keeping such code from being uploaded.

I accept your apology, too. I think part of the hurt was the shock of who it was coming from. As Helln_HiHeels pointed out, people will always question the safety of things they're not familiar with or question what could be possible. Thank you for the apology. :)

I'm only saying this for informative reasons, vendoring items does not require a hardware event nor does destroying items.

My addon, Stocker and several others, automatically sell grey items when the vendor frame is opened. Whether the act of opening the vendor frame counts as a hardware event for being able to sell everything in the bags, I don't know.

However, using another of my addons, EasyDestroy, I have only ever tried to destroy one item at a time always with a hardware event, but it definitely doesn't require the user to click "Okay" or type "delete".

Edit: P.S. Why am I still an "addon author" when I no longer have any addons hosted here?

Destroying items of superior quality on up requires you to type "DELETE" into the window and confirm.

And you're still an author because you *are* an author. :p But... if you prefer, we could have dolby turn the tag off... ;)

The dialog that you type "delete" into is bypassable; however, to my recollection I have never tried to delete a blue or better item using my addon. Edit: It has been a really long time since I debugged EasyDestroy...

It's fine. I just thought it was weird that it still says that.

Edit: I just deleted a blue item without typing "delete".

If you're all so paranoid about what the game can and can't do, or what addons can and can't do, then maybe you should just stop using addons. Or playing.

This thread has derailed from its original purpose, so I'm locking it. Feel free to make a new topic if you want to discuss the limitations/security of the API (without posting security vulnerabilities, obviously).