WARNING - BinaryFormatter Security Vulnerability

Malte_Hernandez · May 20, 2023, 10:28am

Hi, is it really not possible to make a video showing the exact steps for this? The document itself says its very difficult to save with json and that alot of things can go very wrong. Im just thinking since this is a very important part of this course.

bixarrio · May 20, 2023, 10:48am

I don’t know if this is related to the RPG course but @Brian_Trotter has written a comprehensive post about changing the save system to a json-based version. It says ‘ON HOLD’ but check it out anyway.

That being said, the security vulnerability is only really a problem if you are going to have a distributed save. The issue is that malicious code can be injected into a save and executed. If that save only lives on your own machine, you would have to be the one injecting that code and executing it on your own machine. There are a lot of easier ways to break your own machine. This doesn’t mean someone can’t hack your system and do it but again, if they’ve hacked your system you have bigger problems than your game’s save

Brian_Trotter · May 20, 2023, 4:07pm

Actually, he’s referring to the official version fo the Json save system which now lives at SavingSystem. The version in this post is outdated. The course now includes a link to the final solution.

I’ve actually tried, but while writing text based tutorials is quite easy for me, making videos is next to impossible, both owing to my lack of skill in it and not having the right environment to do so. (My house is anything but quiet).

If you have any questions or issues implementing the system, please don’t hesitate to ask. That’s what I’m here for.

bixarrio · May 20, 2023, 4:19pm

Good to know, thanks

Brian_Trotter · May 20, 2023, 5:04pm

I edited the header of the draft post from 2 years ago to redirect you to the finished wiki tutorial.

Malte_Hernandez · May 21, 2023, 4:58pm

Thank you for your reply. I will come back if I run into any problems. But the JSON solution should work just as intended? Once thats done I can just keep going? I saw that it also covers the other courses of the unity rpg “mega” course so I know I’ll have to come back to your guide if I choose to continue.

Brian_Trotter · May 21, 2023, 5:47pm

Yes, each class is current to the course classes. If you make a major change to what’s saved in a class from the course or add a new ISaveable class that wasn’t in the course, then you’ll need to write those CaptureAsJToken and RestoreAsJToken yourself, or ask for assistance here in the Community forums.