[Game Update] - 651415

[JesseB_Klei]

This is a hotfix meant to address concerns about the game's sandboxing and protection with regards to mods. It will break some mods from working as they were initially written for the time being until a better or alternative solution can be provided. We understand that this is an inconvenience for many mods that use these features in legitimate ways and we are open to hearing out potential solutions for allowing them to work again in a more defined way.

• Changes
  • io.open will no longer be able to write files and will always treat any file access as read only.
  • TheSim:QueryServer will no longer be able to send or get information from third party services or URLs.
  • TheSim:SetPersistentString and TheSim:SetPersistentStringInClusterSlot will be prevented from writing to certain auto-ran files for clients and server clusters.

View full update

[Cliffford W.]

Well that is a very good update.

Aside from the fact i can't no longer receive mod crash logs if people consented to it RIP.

[Philip.]

1 hour ago, JesseB_Klei said:

• io.open will no longer be able to write files and will always treat any file access as read only.
• TheSim:QueryServer will no longer be able to send or get information from third party services or URLs.
• TheSim:SetPersistentString and TheSim:SetPersistentStringInClusterSlot will be prevented from writing to certain auto-ran files for clients and server clusters.

Those are quite devastating changes for our community, since most of our discord integration functionality, database stuff, in-game emojis, configurations, etc. was based on those functions to ensure it's flexible and works on any hosting platform (we used to change hosting providers a lot and not everyone allows running third party services on their servers).

[Littlefat1213]

it's a dark day for mod community

[GodIess]

This is a very terrible decision. Maybe I didn't fully understand the point. A very large number of modifications will lose a lot of functionality. This includes updating translations from github or crowdin, some configuration files. Perhaps it is worth limiting the list of allowed domains? For example, Github, Crowdin, Discord, Steam, etc.? Or allow this functionality, but only in the main menu and outside the game worlds

[crushcircuit]

1 hour ago, GodIess said:

This is a very terrible decision. Maybe I didn't fully understand the point. A very large number of modifications will lose a lot of functionality. This includes updating translations from github or crowdin, some configuration files. Perhaps it is worth limiting the list of allowed domains? For example, Github, Crowdin, Discord, Steam, etc.? Or allow this functionality, but only in the main menu and outside the game worlds

unfortunately somebody made a worm that utilized these functions maliciously in order to force klei to disable them. i imagine they'll figure out some sort of compromise soon

Edited January 25, 2025 by crushcircuit

[Littlefat1213]

the guy named ，

his mod could make the game auto download and force enable all his mods and repeatly send chat message like this:

 

 

Edited January 25, 2025 by Littlefat1213

[baixiaofei]

A suggestion: If it is a server type, allow it to write files and access web pages。

The problem occurs on the client machine

[EatenCheetos]

This is such a terrible change, a dark day for the modding community indeed. Dozens, if not hundreds, of staple mods will be completely unusable, including some of my very own, hard worked creations.

4 hours ago, GodIess said:

This is a very terrible decision. Maybe I didn't fully understand the point. A very large number of modifications will lose a lot of functionality. This includes updating translations from github or crowdin, some configuration files. Perhaps it is worth limiting the list of allowed domains? For example, Github, Crowdin, Discord, Steam, etc.? Or allow this functionality, but only in the main menu and outside the game worlds

I don’t like the idea of limited domains. My dstbases.com project is in shambles right now. 

Klei, I beg of you, at least keep the fetching and writing of unharmful file types like .json and .txt

[Kova_]

On 1/25/2025 at 6:53 AM, EatenCheetos said:

Klei, I beg of you, at least keep the fetching and writing of unharmful file types like .json and .txt

The malicious mod used reading a `.json` file.

BTW, I checked your mod.  Can you please reach me on Discord?  kova

[BaiQi43]

We are extremely grateful for your team's continuous updates and maintenance of the game. Regarding the recent hotfix focused on the game's sandboxing and mod protection, we understand your intention to safeguard the game's security and stability. However, the modification that disables TheSim:QueryServer from sending or obtaining information from third - party services and URLs has caused great distress to numerous mods.

In many mods, the TheSim:QueryServer function plays a vital role. For instance, some online interactive mods rely on this function to achieve real - time data interaction among players. There are also some resource - integration mods that depend on it to fetch the latest resource information from specific URLs, thus enriching the game content. It can be said that this function is the key to the normal operation and unique charm of many mods.

Admittedly, enabling this function may pose certain security risks, but we believe it should not be completely disabled for this reason. We suggest that while restoring the TheSim:QueryServer function, clear risk warnings should be added to inform mod developers and players of potential security hazards. Meanwhile, your team can formulate strict control rules. For example, implement a whitelist management system for accessed third - party services and URLs, allowing only legally - reviewed sources to be accessed; or encrypt the data transmission process to ensure data security.

We believe that through reasonable risk warnings and control measures, the needs of mods for the TheSim:QueryServer function can be met while effectively avoiding security risks, making the game ecosystem healthier and more prosperous. We sincerely hope that your team will carefully consider our suggestions and restore this important function.