luanti-org/luanti
1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-10-13 08:35:20 +02:00
Code Activity

Mitigate formspec exploits by verifying that the formspec was shown to the user by the server. (#6878)

Browse Source 
This doesn't check the fields in anyway whatsoever so it should only be seen as a way to mitigate exploits, a last line of defense to make it harder to exploit bugs in mods, not as a reason to not do all the usually checks.
This commit is contained in:
red-001
2018-02-18 21:33:42 +00:00
committed by Loïc Blot
parent 63bcd33036
commit 4bb41a19dc
3 changed files with 35 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/server.cpp
View File

@@ -1571,8 +1571,10 @@ void Server::SendShowFormspecMessage(session_t peer_id, const std::string &forms
NetworkPacket pkt(TOCLIENT_SHOW_FORMSPEC, 0 , peer_id);
if (formspec.empty()){
//the client should close the formspec
m_formspec_state_data.erase(peer_id);
pkt.putLongString("");
} else {
m_formspec_state_data[peer_id] = formname;
pkt.putLongString(FORMSPEC_VERSION_STRING + formspec);
}
pkt << formname;
@@ -2660,6 +2662,9 @@ void Server::DeleteClient(session_t peer_id, ClientDeletionReason reason)
++i;
}
// clear formspec info so the next client can't abuse the current state
m_formspec_state_data.erase(peer_id);
RemotePlayer *player = m_env->getPlayer(peer_id);
/* Run scripts and remove from environment */