1
0
mirror of https://github.com/minetest/minetest_game.git synced 2024-12-22 23:10:17 +01:00

Validate & sanitize formspec fields (#3022)

This commit is contained in:
Lars Müller 2023-04-08 18:13:45 +02:00 committed by GitHub
parent 4c6e19968a
commit 833ed77620
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 9 deletions

View File

@ -192,10 +192,13 @@ function creative.register_tab(name, title, items)
inv.start_i = 0 inv.start_i = 0
inv.filter = "" inv.filter = ""
sfinv.set_player_inventory_formspec(player, context) sfinv.set_player_inventory_formspec(player, context)
elseif fields.creative_search or elseif (fields.creative_search or
fields.key_enter_field == "creative_filter" then fields.key_enter_field == "creative_filter")
and fields.creative_filter then
inv.start_i = 0 inv.start_i = 0
inv.filter = fields.creative_filter:lower() inv.filter = fields.creative_filter:sub(1, 128) -- truncate to a sane length
:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
:lower() -- search is case insensitive
sfinv.set_player_inventory_formspec(player, context) sfinv.set_player_inventory_formspec(player, context)
elseif not fields.quit then elseif not fields.quit then
local start_i = inv.start_i or 0 local start_i = inv.start_i or 0

View File

@ -148,7 +148,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
return return
end end
if fields.close then if fields.quit then
book_writers[player_name] = nil book_writers[player_name] = nil
end end
@ -179,6 +179,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
data.description = S("\"@1\" by @2", short_title, data.owner) data.description = S("\"@1\" by @2", short_title, data.owner)
data.text = fields.text:sub(1, max_text_size) data.text = fields.text:sub(1, max_text_size)
data.text = data.text:gsub("\r\n", "\n"):gsub("\r", "\n") data.text = data.text:gsub("\r\n", "\n"):gsub("\r", "\n")
data.text = data.text:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
data.page = 1 data.page = 1
data.page_max = math.ceil((#data.text:gsub("[^\n]", "") + 1) / lpp) data.page_max = math.ceil((#data.text:gsub("[^\n]", "") + 1) / lpp)

View File

@ -2597,12 +2597,12 @@ local function register_sign(material, desc, def)
if not text then if not text then
return return
end end
if string.len(text) > 512 then if #text > 512 then
minetest.chat_send_player(player_name, S("Text too long")) minetest.chat_send_player(player_name, S("Text too long"))
return return
end end
default.log_player_action(sender, "wrote \"" .. text .. text = text:gsub("[%z-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
"\" to the sign at", pos) default.log_player_action(sender, ("wrote %q to the sign at"):format(text), pos)
local meta = minetest.get_meta(pos) local meta = minetest.get_meta(pos)
meta:set_string("text", text) meta:set_string("text", text)

View File

@ -345,8 +345,11 @@ local function on_receive_fields(player, fields)
data.items = init_items data.items = init_items
return true return true
elseif fields.key_enter_field == "filter" or fields.search then elseif (fields.key_enter_field == "filter" or fields.search)
local new = fields.filter:lower() and fields.filter then
local new = fields.filter:sub(1, 128) -- truncate to a sane length
:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
:lower() -- search is case insensitive
if data.filter == new then if data.filter == new then
return return
end end