diff options
author | SmallJoker <mk939@ymail.com> | 2021-03-07 10:04:07 +0100 |
---|---|---|
committer | SmallJoker <SmallJoker@users.noreply.github.com> | 2021-03-07 17:18:02 +0100 |
commit | fc864029b9635106a5390aa09d227d7dac31d1a5 (patch) | |
tree | 175496ce3ac4d82621029060f2b21c2233b6290c /src | |
parent | d9b78d64929b8fbf1507c2d27dca6fbc105ecdb0 (diff) | |
download | minetest-fc864029b9635106a5390aa09d227d7dac31d1a5.tar.gz minetest-fc864029b9635106a5390aa09d227d7dac31d1a5.tar.bz2 minetest-fc864029b9635106a5390aa09d227d7dac31d1a5.zip |
Protect per-player detached inventory actions
Diffstat (limited to 'src')
-rw-r--r-- | src/network/serverpackethandler.cpp | 6 | ||||
-rw-r--r-- | src/server/serverinventorymgr.cpp | 12 | ||||
-rw-r--r-- | src/server/serverinventorymgr.h | 1 |
3 files changed, 18 insertions, 1 deletions
diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp index ddc6f4e47..f1ed42302 100644 --- a/src/network/serverpackethandler.cpp +++ b/src/network/serverpackethandler.cpp @@ -626,7 +626,7 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt) const bool player_has_interact = checkPriv(player->getName(), "interact"); - auto check_inv_access = [player, player_has_interact] ( + auto check_inv_access = [player, player_has_interact, this] ( const InventoryLocation &loc) -> bool { if (loc.type == InventoryLocation::CURRENT_PLAYER) return false; // Only used internally on the client, never sent @@ -634,6 +634,10 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt) // Allow access to own inventory in all cases return loc.name == player->getName(); } + if (loc.type == InventoryLocation::DETACHED) { + if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName())) + return false; + } if (!player_has_interact) { infostream << "Cannot modify foreign inventory: " diff --git a/src/server/serverinventorymgr.cpp b/src/server/serverinventorymgr.cpp index 555e01ec6..2a80c9bbe 100644 --- a/src/server/serverinventorymgr.cpp +++ b/src/server/serverinventorymgr.cpp @@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name) return true; } +bool ServerInventoryManager::checkDetachedInventoryAccess( + const InventoryLocation &loc, const std::string &player) const +{ + SANITY_CHECK(loc.type == InventoryLocation::DETACHED); + + const auto &inv_it = m_detached_inventories.find(loc.name); + if (inv_it == m_detached_inventories.end()) + return false; + + return inv_it->second.owner.empty() || inv_it->second.owner == player; +} + void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name, bool incremental, std::function<void(const std::string &, Inventory *)> apply_cb) diff --git a/src/server/serverinventorymgr.h b/src/server/serverinventorymgr.h index ccf6d3b2e..0e4b72415 100644 --- a/src/server/serverinventorymgr.h +++ b/src/server/serverinventorymgr.h @@ -43,6 +43,7 @@ public: Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef, const std::string &player = ""); bool removeDetachedInventory(const std::string &name); + bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const; void sendDetachedInventories(const std::string &peer_name, bool incremental, std::function<void(const std::string &, Inventory *)> apply_cb); |