+1 vote
by (170 points)
Talked with Godaddy today. Files created using Sugarcube 2 can no longer be posted to one of their cpanel shared servers. Only a business tier hosting plan will accept. On their end it is marked as malware and boots the html file off the server. FTP shows it there and then it disappears. They won't tell me what in the file is causing it because of security concerns. Sugarcube 1 still makes it through. Harlowe makes it through. Any ideas on how to fix it? Thanks.

3 Answers

0 votes
by (68.6k points)
selected by
Best answer

There's not much anyone can do without information.

  1. What do they think is wrong?  I can't believe they refuse to say anything due to "security concerns".
  2. What version of SugarCube is this (the full version)?
  3. Where did you get it?  Is it the one bundled with Twine 2 (and which version of Twine 2) or did you download it?
  4. Did you include any 3rd-party JavaScript?
  5. Et cetera.
by (170 points)
1) If you are feeling patient you can try loading your own and do another 1/2 hour tech support call with them. If they told us and we circumvented the code problem we could destroy the world with a new virus. C-panel servers are pretty common now and the problem should be easily replicated for everyone's testing. I could privately give you FTP access to a limited folder for testing your own files.

2) and 3) Tried online version 2 of twine with sugarcube 2.21 and desktop app with latest sugarcube 2.24. Even single-passage-default-file-start published files failed. These are files that less than a month ago loaded fine. Working files removed from the server were not able to be placed back on.

4) As above even nearly empty single passage files with no edits to stylesheet failed.

I know nothing about server security but am willing to try stripping out sections of the code from the published html till I see what makes it through. Sugarcube 1 and Harlowe formats still make it through so I was going to take an uneducated look at the differences. I'm hoping that it is possible to strip the javascript and styles back into relatively linked file paths and folders.

I had an entire class of student twine projects ready to load publicly.

I appreciate your frustration.
by (68.6k points)
edited by

I don't have a website with GoDaddy and I don't intend to pay them for the privilege of looking into this (AFAIK they don't offer free web services).  If they won't tell you anything at all, then my hands are tied.  I appreciate the offer to poke your FTP, but seeing the file be automatically removed won't really tell me anything.

As far as stripping things out.  If an essentially empty project is triggering their security machinery, then there's not much you'll be able to do.  Certainly, it's unlikely that stripping out parts of your project would make a difference.

It's likely going to end up being a false positive from a poorly written heuristic rule from some AV/M suite.  I'll submit an empty project to VirusTotal later to check on that front.

EDIT: Well, apparently the current virus database from ClamAV thinks it contains some Microsoft Edge-specific vulnerability exploit.  I've submitted a false positive report.  We'll see where that goes I guess.

With no other information to go on at the moment, I'm going to assume the ClamAV complaint is what's up GoDaddy's idiotic arse.

EDIT x2: If anyone has ClamAV installed, could you please check projects compiled against recent versions of SugarCube v2 (even empty projects will do).  As noted in my last edit, I've already submitted a false positive report, but I'd like an independent confirmation if possible (in case they want to play football).  Right now I'm relying entirely upon VirusTotal's report.

by (68.6k points)

UPDATE: I received a similar complaint from someone on another web host.  The common element between GoDaddy and them is that they both use cPanel.  After a quick check of their docs, cPanel does use ClamAV.  I figured that ClamAV was at the center of this, however, now I know they are.

Extra reports cannot hurt, so if those affected by this would like to submit a false positive report to ClamAV with your compiled project, please do so.

by (170 points)
As Per GoblinSpaceWizard below: C-Panel Servers allow posts again. Thank You!
0 votes
by (710 points)
I'm having the same problem with Runbox, which also uses cPanel.
by (190 points)
I was also using Cpanel . It refused to upload the twine because c-panel said the file had a virus: The file you uploaded, psychologyemailgreetings.html, contains a virus so the upload was canceled: Html.Exploit.CVE_2018_0874-6466377-0 FOUND
+1 vote
by (710 points)
I just tried uploading my game again and it worked, so it looks like this might be resolved.
by (170 points)
Yes! I have verified that it is working for me now too. Thank you so much TheMadExile and others who did all the work and interface with reports. Godaddy C-panel now accepts the Sugarcube2 + files.

Here is a sample of my student work.


I can post more if anyone is interested. These are college Graphic Design students on an Interactive Design project. Trying to help them see that designing for choices are the core of Interaction. Thanks for the great Twine tools!