aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSmallJoker <mk939@ymail.com>2021-03-07 10:04:07 +0100
committerSmallJoker <SmallJoker@users.noreply.github.com>2021-03-07 17:18:02 +0100
commitfc864029b9635106a5390aa09d227d7dac31d1a5 (patch)
tree175496ce3ac4d82621029060f2b21c2233b6290c
parentd9b78d64929b8fbf1507c2d27dca6fbc105ecdb0 (diff)
downloadminetest-fc864029b9635106a5390aa09d227d7dac31d1a5.tar.gz
minetest-fc864029b9635106a5390aa09d227d7dac31d1a5.tar.bz2
minetest-fc864029b9635106a5390aa09d227d7dac31d1a5.zip
Protect per-player detached inventory actions
-rw-r--r--src/network/serverpackethandler.cpp6
-rw-r--r--src/server/serverinventorymgr.cpp12
-rw-r--r--src/server/serverinventorymgr.h1
3 files changed, 18 insertions, 1 deletions
diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp
index ddc6f4e47..f1ed42302 100644
--- a/src/network/serverpackethandler.cpp
+++ b/src/network/serverpackethandler.cpp
@@ -626,7 +626,7 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
const bool player_has_interact = checkPriv(player->getName(), "interact");
- auto check_inv_access = [player, player_has_interact] (
+ auto check_inv_access = [player, player_has_interact, this] (
const InventoryLocation &loc) -> bool {
if (loc.type == InventoryLocation::CURRENT_PLAYER)
return false; // Only used internally on the client, never sent
@@ -634,6 +634,10 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
// Allow access to own inventory in all cases
return loc.name == player->getName();
}
+ if (loc.type == InventoryLocation::DETACHED) {
+ if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
+ return false;
+ }
if (!player_has_interact) {
infostream << "Cannot modify foreign inventory: "
diff --git a/src/server/serverinventorymgr.cpp b/src/server/serverinventorymgr.cpp
index 555e01ec6..2a80c9bbe 100644
--- a/src/server/serverinventorymgr.cpp
+++ b/src/server/serverinventorymgr.cpp
@@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
return true;
}
+bool ServerInventoryManager::checkDetachedInventoryAccess(
+ const InventoryLocation &loc, const std::string &player) const
+{
+ SANITY_CHECK(loc.type == InventoryLocation::DETACHED);
+
+ const auto &inv_it = m_detached_inventories.find(loc.name);
+ if (inv_it == m_detached_inventories.end())
+ return false;
+
+ return inv_it->second.owner.empty() || inv_it->second.owner == player;
+}
+
void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb)
diff --git a/src/server/serverinventorymgr.h b/src/server/serverinventorymgr.h
index ccf6d3b2e..0e4b72415 100644
--- a/src/server/serverinventorymgr.h
+++ b/src/server/serverinventorymgr.h
@@ -43,6 +43,7 @@ public:
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
const std::string &player = "");
bool removeDetachedInventory(const std::string &name);
+ bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;
void sendDetachedInventories(const std::string &peer_name, bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb);