It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like:Chrome,Firefox,Internet Explorer orOpera

×
avatar
Lin545: edit:

It turns out that piping the arguments using pipe or xargs results them not to be displayed on the process output!
That means command line option is fine, if input is piped like this:

echo $login $pass | xargs lgogdownloader --login

would not cause any security holes.
Unfortunately it would still create the same security hole. Now you have echo process running with the cmdline arguments world readable (and I think it won't exit until lgogdownloader is done reading from the pipe).

Write them to file, then cat the file to xargs. That might be secure, depending on the permissions.
Post edited February 14, 2017 by huan
avatar
huan: Write them to file, then cat the file to xargs. That might be secure, depending on the permissions.
Nice, thanks!
avatar
Lin545: Nice, thanks!
Eh, I should slap myself. All this is doing is moving the bug around so it's harder to spot, and I fell for it too. xargs itself creates the same kind of problem - it converts stdin to command line arguments and passes them to another process - as a command line. Until lgogdownloader supports reading the information directly from stdin all you can do is obscure it a bit, no implementation will truly be secure. Expect route should avoid this kind of pitfall, but my experience with it is very limited.
I made some progress with Galaxy API.

Much of the Galaxy stuff is hard coded and full of ugly hacks that require lots of clean up but I'm able to download at least some game files.

https://gfycat.com/AntiqueEcstaticFawn
avatar
Sude: I made some progress with Galaxy API.

Much of the Galaxy stuff is hard coded and full of ugly hacks that require lots of clean up but I'm able to download at least some game files.

https://gfycat.com/AntiqueEcstaticFawn
Hacks be damned, you've pretty much just made a Linux Galaxy client before GOG did. This is extremely cool, can't wait to try it out!
avatar
Sude: I made some progress with Galaxy API.

Much of the Galaxy stuff is hard coded and full of ugly hacks that require lots of clean up but I'm able to download at least some game files.

https://gfycat.com/AntiqueEcstaticFawn
Are GOG changing the protocol often, or it looks stable? They claimed they don't want to publish it, because they expect to change it quite a lot, and efforts on clients based on that will be somewhat wasted because of it.
Post edited 4 days ago by shmerl
So I cleaned up large part the code and pushed the current code to git.

It has lots of changes
$ git diff --cached --shortstat
18 files changed, 1491 insertions(+), 702 deletions(-)

https://github.com/Sude-/lgogdownloader/commit/f2e8dde


Website login code was changed to Galaxy login.
You probably want to --login to generate Galaxy login tokens.
Galaxy login tokens are saved to $XDG_CONFIG_HOME/lgogdownloader/galaxy_tokens.json

Config is now global in "Globals" namespace. I'm planning on splitting the config to smaller individual parts so this is probably going to change in the future.

I added 2 options to test some galaxy features. They are hidden from --help text so users don't think these are final or even working properly.
--galaxy-show-builds "product_id" - shows game builds for product id
--galaxy-show-builds "product_id/build_index" - shows some more info about specified game build

--galaxy-install "product_id" - installs the first build for product id (same as "product_id/0")
--galaxy-install "product_id/build_index" - installs a specified build, you can get the build index with --galaxy-show-builds

--list-details shows the numerical product id that you can use with --galaxy-show-builds and --galaxy-install

Galaxy support is limited to only English language Windows builds.
Only generation 2 builds are supported. GOG hasn't updated many older games to generation 2 builds yet. So expect to see "Only generation 2 builds are supported currently" error message a lot when testing this.
I haven't tested if this works with DLCs. Most likely it fails to install DLCs or just crashes when it encounters one.

It can't resume partial file downloads at this moment.

New dependencies:
boost-iostreams
avatar
shmerl: Are GOG changing the protocol often, or it looks stable? They claimed they don't want to publish it, because they expect to change it quite a lot, and efforts on clients based on that will be somewhat wasted because of it.
I've only spent a couple weeks looking at the API responses and I've only looked at the API traffic related to downloading files.
So far I haven't noticed any big changes. I guess that parts of the API that are for downloading files are quite stable but then again I haven't looked at it for that long time.