luanti-org/luanti
1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-10-31 15:35:21 +01:00
Code Activity

Protect per-player detached inventory actions

Browse Source
This commit is contained in:
SmallJoker
2021-03-07 10:04:07 +01:00
committed by sfan5
parent 67be50b706
commit 41beb74ef7
3 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/network/serverpackethandler.cpp
View File

@@ -626,7 +626,7 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
const bool player_has_interact = checkPriv(player->getName(), "interact"); const bool player_has_interact = checkPriv(player->getName(), "interact");
auto check_inv_access = [player, player_has_interact] ( auto check_inv_access = [player, player_has_interact, this] (
const InventoryLocation &loc) -> bool { const InventoryLocation &loc) -> bool {
if (loc.type == InventoryLocation::CURRENT_PLAYER) if (loc.type == InventoryLocation::CURRENT_PLAYER)
return false; // Only used internally on the client, never sent return false; // Only used internally on the client, never sent
@@ -634,6 +634,10 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
// Allow access to own inventory in all cases // Allow access to own inventory in all cases
return loc.name == player->getName(); return loc.name == player->getName();
} }
if (loc.type == InventoryLocation::DETACHED) {
if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
return false;
}
if (!player_has_interact) { if (!player_has_interact) {
infostream << "Cannot modify foreign inventory: " infostream << "Cannot modify foreign inventory: "

12
src/server/serverinventorymgr.cpp
View File

@@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
return true; return true;
} }
bool ServerInventoryManager::checkDetachedInventoryAccess(
const InventoryLocation &loc, const std::string &player) const
{
SANITY_CHECK(loc.type == InventoryLocation::DETACHED);
const auto &inv_it = m_detached_inventories.find(loc.name);
if (inv_it == m_detached_inventories.end())
return false;
return inv_it->second.owner.empty() || inv_it->second.owner == player;
}
void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name, void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
bool incremental, bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb) std::function<void(const std::string &, Inventory *)> apply_cb)

1
src/server/serverinventorymgr.h
View File

@@ -43,6 +43,7 @@ public:
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef, Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
const std::string &player = ""); const std::string &player = "");
bool removeDetachedInventory(const std::string &name); bool removeDetachedInventory(const std::string &name);
bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;
void sendDetachedInventories(const std::string &peer_name, bool incremental, void sendDetachedInventories(const std::string &peer_name, bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb); std::function<void(const std::string &, Inventory *)> apply_cb);