Thread: [SOLUTION] Insecure Code Errors
View Single Post
02/09/17, 10:50 PM   #1
Randactyl
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 251
[SOLUTION] Insecure Code Errors
Let's see if we can consolidate all of these.

Preface:
Addon code is considered insecure. ZOS code is considered secure.
Protected functions may be called from insecure code through CallSecureProtected("FunctionName", ...).
Private functions may not be called from insecure code.
Protected and private functions may be called from secure code.

With ESO 2.7 (Homestead) we've seen an explosion of "attempt to access a private function 'FunctionName' from insecure code" errors. The following is a list of currently identified causes.

1. Overriding a ZOS function
Overriding a global ZOS function moves the function into insecure code. If the overridden function makes calls to other functions, the insecure execution context cascades down the entire call chain. This is fine as long as there are no possible ways calling the overriding function could lead to a protected or private function being called somewhere along the chain.

2. Manual Pre and Post Hooking
Largely the same as item 1. Manually hooking involves calling a normally secured function from an insecure context. For prehooks, ZO_PreHook or ZO_PreHookHandler should be used. Unfortunately, there is currently no safe way to posthook secure code.
See:
http://www.esoui.com/forums/showthread.php?t=6152
http://www.esoui.com/forums/showthre...6803#post29737

3. Object Pools
ZOS creates a number of different object pools and preallocates a certain number of objects in each pool. If an addon draws from the pool, the preallocated objects will be returned first. If there are no more preallocated objects, a new one is created and returned until the pool reaches its high water mark.
The preallocated objects, since they were created in secure code, are secure. When an addon draws from a pool and gets a newly allocated object, that object is insecure. If the call chain of the insecure object's event handlers contains a protected or private function, the call will fail with the insecure code error.

If you are absolutely positive you've done all you can to prevent these errors but are still receiving them, there is a black magic workaround. Say your error is with UseItem:
Lua Code:
  1. function UseItem(...)
  2.     CallSecureProtected("UseItem", ...)
  3. end

If it is with another protected function, just replace both instances of UseItem with the name of the appropriate function.

Edit - a note from AssemblerManiac: Overridding UseItem in this way will prevent the use of items from the inventory screen while in combat. This means that items like potions and food cannot be used from the inventory menu. They can still be used from quick slots without any issue.
Last edited by Randactyl : 02/10/17 at 04:34 AM.
  Reply With Quote