aboutsummaryrefslogtreecommitdiff
path: root/builtin/game
diff options
context:
space:
mode:
authorsfan5 <sfan5@live.de>2021-12-17 18:31:29 +0100
committersfan5 <sfan5@live.de>2021-12-18 20:37:13 +0100
commit8c99f2232bdb52459ccf2a5b751cbe3f7797abc3 (patch)
tree2078e91dedcd2112e6644fc53e45f32a0b7281fe /builtin/game
parent8472141b79c25092c90dea24aa873bd7ff792142 (diff)
downloadminetest-8c99f2232bdb52459ccf2a5b751cbe3f7797abc3.tar.gz
minetest-8c99f2232bdb52459ccf2a5b751cbe3f7797abc3.tar.bz2
minetest-8c99f2232bdb52459ccf2a5b751cbe3f7797abc3.zip
Don't let HTTP API pass through untrusted function
This has been a problem since the first day, oops.
Diffstat (limited to 'builtin/game')
-rw-r--r--builtin/game/misc.lua5
1 files changed, 3 insertions, 2 deletions
diff --git a/builtin/game/misc.lua b/builtin/game/misc.lua
index ef826eda7..e86efc50c 100644
--- a/builtin/game/misc.lua
+++ b/builtin/game/misc.lua
@@ -250,7 +250,7 @@ end
-- HTTP callback interface
-function core.http_add_fetch(httpenv)
+core.set_http_api_lua(function(httpenv)
httpenv.fetch = function(req, callback)
local handle = httpenv.fetch_async(req)
@@ -266,7 +266,8 @@ function core.http_add_fetch(httpenv)
end
return httpenv
-end
+end)
+core.set_http_api_lua = nil
function core.close_formspec(player_name, formname)