From 833ed776204b194d96b50e400861dec07b5c16aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20M=C3=BCller?=
 <34514239+appgurueu@users.noreply.github.com>
Date: Sat, 8 Apr 2023 18:13:45 +0200
Subject: [PATCH] Validate & sanitize formspec fields (#3022)

---
 mods/creative/inventory.lua  | 9 ++++++---
 mods/default/craftitems.lua  | 3 ++-
 mods/default/nodes.lua       | 6 +++---
 mods/mtg_craftguide/init.lua | 7 +++++--
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/mods/creative/inventory.lua b/mods/creative/inventory.lua
index e3b08224..3f0a12df 100644
--- a/mods/creative/inventory.lua
+++ b/mods/creative/inventory.lua
@@ -192,10 +192,13 @@ function creative.register_tab(name, title, items)
 				inv.start_i = 0
 				inv.filter = ""
 				sfinv.set_player_inventory_formspec(player, context)
-			elseif fields.creative_search or
-					fields.key_enter_field == "creative_filter" then
+			elseif (fields.creative_search or
+					fields.key_enter_field == "creative_filter")
+					and fields.creative_filter then
 				inv.start_i = 0
-				inv.filter = fields.creative_filter:lower()
+				inv.filter = fields.creative_filter:sub(1, 128) -- truncate to a sane length
+						:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+						:lower() -- search is case insensitive
 				sfinv.set_player_inventory_formspec(player, context)
 			elseif not fields.quit then
 				local start_i = inv.start_i or 0
diff --git a/mods/default/craftitems.lua b/mods/default/craftitems.lua
index d2e827f4..3cd5da7d 100644
--- a/mods/default/craftitems.lua
+++ b/mods/default/craftitems.lua
@@ -148,7 +148,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		return
 	end
 
-	if fields.close then
+	if fields.quit then
 		book_writers[player_name] = nil
 	end
 
@@ -179,6 +179,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		data.description = S("\"@1\" by @2", short_title, data.owner)
 		data.text = fields.text:sub(1, max_text_size)
 		data.text = data.text:gsub("\r\n", "\n"):gsub("\r", "\n")
+		data.text = data.text:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
 		data.page = 1
 		data.page_max = math.ceil((#data.text:gsub("[^\n]", "") + 1) / lpp)
 
diff --git a/mods/default/nodes.lua b/mods/default/nodes.lua
index 41d50199..d59f6384 100644
--- a/mods/default/nodes.lua
+++ b/mods/default/nodes.lua
@@ -2597,12 +2597,12 @@ local function register_sign(material, desc, def)
 			if not text then
 				return
 			end
-			if string.len(text) > 512 then
+			if #text > 512 then
 				minetest.chat_send_player(player_name, S("Text too long"))
 				return
 			end
-			default.log_player_action(sender, "wrote \"" .. text ..
-				"\" to the sign at", pos)
+			text = text:gsub("[%z-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+			default.log_player_action(sender, ("wrote %q to the sign at"):format(text), pos)
 			local meta = minetest.get_meta(pos)
 			meta:set_string("text", text)
 
diff --git a/mods/mtg_craftguide/init.lua b/mods/mtg_craftguide/init.lua
index f3de3db5..55b76d75 100644
--- a/mods/mtg_craftguide/init.lua
+++ b/mods/mtg_craftguide/init.lua
@@ -345,8 +345,11 @@ local function on_receive_fields(player, fields)
 		data.items = init_items
 		return true
 
-	elseif fields.key_enter_field == "filter" or fields.search then
-		local new = fields.filter:lower()
+	elseif (fields.key_enter_field == "filter" or fields.search)
+			and fields.filter then
+		local new = fields.filter:sub(1, 128) -- truncate to a sane length
+				:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+				:lower() -- search is case insensitive
 		if data.filter == new then
 			return
 		end