I would love to hear an official explanation as to why this won't be a major security issue.

And why CfgRemoteExecCommands = {}; not blocking RemoteExec?

Arma3 destroys more than it fixes, they should be bussy fixing theire shit bugs that havent been fixed for more than a year instead of patching shit all the time! The only revenue they get is from people buying the game to play mods, nobody is intrested in playing their crappy single/multiplayer missions and what do they do? Instead of helping modders they push them deeper underground. Look what happened to dayz mod/standalone that turned out GREAT.. full of hackers!

As a fact I tried playing theire singleplayer mission once, and in the second mission I ended up with broken legs and I couldnt fix myself eventhough I had a medickit and tons of bandages I ended up crawling for 2hrs and never played it again.

#BIplease ;)

Bohemia is placing too much trust in Battleye to stop exploitation of this, fact is Battleye won't be able to prevent this as it's easily bypassable. This is handing a golden nuke button to every script kiddie.

this is a hackers wet dream, please dont do it!

Confirmed here too, this needs to be fixed before the release of 1.46.

ARMA needs some way too disable stupid functions like via the desc.ext maybe.
If this gets into Release, we are all fucked!

I am really am surprised it made this made it into a RC without someone checking if you can whitelist the commands.

Anyway this function really needs to be able to be disabled altogether.
Also needs to be checked that if someone manages to call the function from engine, it won't trigger code on other clients / servers since its engine based command.

is this a joke BIS ?

These commands should not be released into stable until they are fully functional (which they are not) and full security review has been done including whatever additional commands need to be released to accompany remoteExec. I am a little bit suprised commands are already in RC.

remoteExec implementation currently in DEV version is not yet final. It will indeed be possible to limit it or disable it. It's not planned to be in 1.46, we want to be extra sure about it before pushing it to the main branch.
Sorry for confusion.

this ticket covers work-in-progress change in underlaying system which was explained in http://dev.arma3.com/post/sitrep-00108

so don't blow it out of proportions, atm. it's quite buggy but expect it to be improved over upcoming DEV branch builds

A small wishlist

1. description.ext whitelist of functions, or serverside compileFinal'able array of functions. The latter would be more flexible.

2. ability to enable reasonable RPT logging each time the functions are called. What, from who, and to whom. If its called, I want it logged.

3. ability for server to block unsolicited uses of the function. If I have it being called from 2 different scripts, and it gets called from an unknown 3rd script, I don't want the code to be remote executed.

4. Ability to easily disable other remote execution methods. Such as disabling BIS_fnc_MP without preinit tricks.

5. BattlEye kick for unsolicited uses of remoteExec/remoteExecCall

6. Define in description.ext the filepaths of the script where each approved use of remoteExec is located. If remoteExec not from these scripts and use in console disabled, then reject the attempt.

Just some ideas.

Regards,
Quiksilver