Originally Posted by SDPhantom
In all honesty, running within the parameters Blizzard allows us through the addon system, there can be some nasty code if someone knew what they were doing.
<snip>
A lot of damage can be done in-game from such an addon, but once found, it'll be as easy to remove as deleting the code and restarting WoW. and because of the nature of the WoW environment, an addon is unable to access anything outside of the game.
|
What you've done is nothing new, it's something that has been the case since the day the system came out. As you've pointed out, there is no way for the addon to propagate itself. Beyond that, most of the actions that have long-lasting negative effects for your character cannot be accomplished without hardware events. This is an intentional limitation built-into the API that requires the player to press a key binding or click a button in order to initiate or confirm the change. Destroying items, disenchanting items, trading, selling to a vendor, mailing, should all require hardware events.
So, yes, you can do things like lock someone's client if they happen to install an addon that allows for remote code execution. This is precisely why we have such stringent requirements at wowinterface and why we continue to review each new file by hand. While there's no guaranteed way to make sure that we catch every possible problem, we do a damn good job of keeping nonsense like this from being available on our site.
Just wanted to clear up what seemed to be quite a dramatic over-reaching post.