Fix item duplication vulnerability

2018-02-11 12:33:46 +00:00 · 2018-02-11 12:33:46 +00:00 · 59b26b37f9
parent 7226dd6174
commit 59b26b37f9
3 changed files with 81 additions and 26 deletions
--- a/3d_armor/README.txt
+++ b/3d_armor/README.txt
@ -68,6 +68,9 @@ armor_fire_protect = false
 -- Enable punch damage effects.
 armor_punch_damage = true

+-- Enable migration of old armor inventories
+armor_migrate_old_inventory = true
+
 API
 ---

--- a/3d_armor/api.lua
+++ b/3d_armor/api.lua
@ -72,6 +72,7 @@ armor = {
 		on_damage = {},
 		on_destroy = {},
 	},
+	migrate_old_inventory = true,
 	version = "0.4.10",
 }

@ -174,7 +175,7 @@ armor.update_player_visuals = function(self, player)
 end

 armor.set_player_armor = function(self, player)
-	local name, player_inv = self:get_valid_player(player, "[set_player_armor]")
+	local name, armor_inv = self:get_valid_player(player, "[set_player_armor]")
 	if not name then
 		return
 	end
@ -199,7 +200,7 @@ armor.set_player_armor = function(self, player)
 		change[group] = 1
 		levels[group] = 0
 	end
-	local list = player_inv:get_list("armor")
+	local list = armor_inv:get_list("armor")
 	if type(list) ~= "table" then
 		return
 	end
@ -297,7 +298,7 @@ armor.set_player_armor = function(self, player)
 end

 armor.punch = function(self, player, hitter, time_from_last_punch, tool_capabilities)
-	local name, player_inv = self:get_valid_player(player, "[punch]")
+	local name, armor_inv = self:get_valid_player(player, "[punch]")
 	if not name then
 		return
 	end
@ -305,7 +306,7 @@ armor.punch = function(self, player, hitter, time_from_last_punch, tool_capabili
 	local count = 0
 	local recip = true
 	local default_groups = {cracky=3, snappy=3, choppy=3, crumbly=3, level=1}
-	local list = player_inv:get_list("armor")
+	local list = armor_inv:get_list("armor")
 	for i, stack in pairs(list) do
 		if stack:get_count() == 1 then
 			local name = stack:get_name()
@ -427,6 +428,57 @@ armor.get_armor_formspec = function(self, name, listring)
 	return formspec
 end

+armor.serialize_inventory_list = function(self, list)
+	local list_table = {}
+	for _, stack in ipairs(list) do
+		table.insert(list_table, stack:to_string())
+	end
+	return minetest.serialize(list_table)
+end
+
+armor.deserialize_inventory_list = function(self, list_string)
+	local list_table = minetest.deserialize(list_string)
+	local list = {}
+	for _, stack in ipairs(list_table or {}) do
+		table.insert(list, ItemStack(stack))
+	end
+	return list
+end
+
+armor.load_armor_inventory = function(self, player)
+	local msg = "[load_armor_inventory]"
+	local name = player:get_player_name()
+	if not name then
+		minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
+		return
+	end
+	local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
+	if not armor_inv then
+		minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
+		return
+	end
+	local armor_list_string = player:get_attribute("3d_armor_inventory")
+	if armor_list_string then
+		armor_inv:set_list("armor", self:deserialize_inventory_list(armor_list_string))
+		return true
+	end
+end
+
+armor.save_armor_inventory = function(self, player)
+	local msg = "[save_armor_inventory]"
+	local name = player:get_player_name()
+	if not name then
+		minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
+		return
+	end
+	local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
+	if not armor_inv then
+		minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
+		return
+	end
+	player:set_attribute("3d_armor_inventory", self:serialize_inventory_list(armor_inv:get_list("armor")))
+end
+
 armor.update_inventory = function(self, player)
 	-- DEPRECATED: Legacy inventory support
 end
@ -438,17 +490,13 @@ armor.set_inventory_stack = function(self, player, i, stack)
 		minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
 		return
 	end
-	local player_inv = player:get_inventory()
 	local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
-	if not player_inv then
-		minetest.log("warning", S("3d_armor: Player inventory is nil @1", msg))
-		return
-	elseif not armor_inv then
+	if not armor_inv then
 		minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
 		return
 	end
-	player_inv:set_stack("armor", i, stack)
 	armor_inv:set_stack("armor", i, stack)
+	self:save_armor_inventory(player)
 end

 armor.get_valid_player = function(self, player, msg)
@ -462,9 +510,9 @@ armor.get_valid_player = function(self, player, msg)
 		minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
 		return
 	end
-	local inv = player:get_inventory()
+	local inv = minetest.get_inventory({type="detached", name=name.."_armor"})
 	if not inv then
-		minetest.log("warning", S("3d_armor: Player inventory is nil @1", msg))
+		minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
 		return
 	end
 	return name, inv
--- a/3d_armor/init.lua
+++ b/3d_armor/init.lua
@ -111,27 +111,23 @@ end)

 local function init_player_armor(player)
 	local name = player:get_player_name()
-	local player_inv = player:get_inventory()
 	local pos = player:getpos()
-	if not name or not player_inv or not pos then
+	if not name or not pos then
 		return false
 	end
 	local armor_inv = minetest.create_detached_inventory(name.."_armor", {
 		on_put = function(inv, listname, index, stack, player)
-			player:get_inventory():set_stack(listname, index, stack)
+			armor:save_armor_inventory(player)
 			armor:run_callbacks("on_equip", player, index, stack)
 			armor:set_player_armor(player)
 		end,
 		on_take = function(inv, listname, index, stack, player)
-			player:get_inventory():set_stack(listname, index, nil)
+			armor:save_armor_inventory(player)
 			armor:run_callbacks("on_unequip", player, index, stack)
 			armor:set_player_armor(player)
 		end,
 		on_move = function(inv, from_list, from_index, to_list, to_index, count, player)
-			local plaver_inv = player:get_inventory()
-			local stack = inv:get_stack(to_list, to_index)
-			player_inv:set_stack(to_list, to_index, stack)
-			player_inv:set_stack(from_list, from_index, nil)
+			armor:save_armor_inventory(player)
 			armor:set_player_armor(player)
 		end,
 		allow_put = function(inv, listname, index, stack, player)
@ -158,10 +154,18 @@ local function init_player_armor(player)
 		end,
 	}, name)
 	armor_inv:set_size("armor", 6)
-	player_inv:set_size("armor", 6)
+	if not armor:load_armor_inventory(player) and armor.migrate_old_inventory then
+		local player_inv = player:get_inventory()
+		player_inv:set_size("armor", 6)
+		for i=1, 6 do
+			local stack = player_inv:get_stack("armor", i)
+			armor_inv:set_stack("armor", i, stack)
+		end
+		armor:save_armor_inventory(player)
+		player_inv:set_size("armor", 0)
+	end
 	for i=1, 6 do
-		local stack = player_inv:get_stack("armor", i)
-		armor_inv:set_stack("armor", i, stack)
+		local stack = armor_inv:get_stack("armor", i)
 		armor:run_callbacks("on_equip", player, i, stack)
 	end
 	armor.def[name] = {
@ -256,13 +260,13 @@ end)

 if armor.config.drop == true or armor.config.destroy == true then
 	minetest.register_on_dieplayer(function(player)
-		local name, player_inv = armor:get_valid_player(player, "[on_dieplayer]")
+		local name, armor_inv = armor:get_valid_player(player, "[on_dieplayer]")
 		if not name then
 			return
 		end
 		local drop = {}
-		for i=1, player_inv:get_size("armor") do
-			local stack = player_inv:get_stack("armor", i)
+		for i=1, armor_inv:get_size("armor") do
+			local stack = armor_inv:get_stack("armor", i)
 			if stack:get_count() > 0 then
 				table.insert(drop, stack)
 				armor:set_inventory_stack(player, i, nil)