GTNardy: Please tell me it'll not be possible on the server side

Timmy: Nothing changed on server side

The only thing that changed is that now it's also possible to read files from Client's Package/* folder

GTNardy: Just seen that it was already possible on the server, it seems concerning regading safety since malicious packages could have a way to remotely read the server files to find database credentials, tokens, ... and other sensitive data that shouldn't be exposed outside of it's respective package

Timmy: on server you can only access files from Server/ folder, except Config.toml one

GTNardy: That makes the server token safe, but eveything that's in a package isn't if you don't pay attention of other packages you're adding to your server

Timmy: any suggestion on how to solve that?

GTNardy: Prevent to read outside of /Server/Packages/package-its-called-from on the server side

Timmy: waiting Voltaism to come and curse on it....

GTNardy: Why not rely on the lua's library for that? since you added --enable_unsafe_libs it seems like an alternative that'd allow to keep a safe behaviour by default

Timmy: how so? what would the native Lua's io solve?

GTNardy:

Timmy: yeah but what is the io library solving here?

GTNardy: It's disabled by default if the server isn't started with --enable_unsafe_libs

Timmy: what you are saying is to only allow File to access files external to that package when running with --enable_unsafe_libs?

GTNardy: First my idea was to rely on + the command line in these cases, but what you said seems like a good alternative