aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsfan5 <sfan5@live.de>2022-05-25 19:07:49 +0200
committersfan5 <sfan5@live.de>2022-05-29 14:00:19 +0200
commitda71e86633d0b27cd02d7aac9fdac625d141ca13 (patch)
tree5a4f4c1939e2a4f5ee7c8e34932aa34fb4792be4
parentbccaf5fc2d11c31615d64b9bca91f908d06b7044 (diff)
downloadminetest-da71e86633d0b27cd02d7aac9fdac625d141ca13.tar.gz
minetest-da71e86633d0b27cd02d7aac9fdac625d141ca13.tar.bz2
minetest-da71e86633d0b27cd02d7aac9fdac625d141ca13.zip
Protect a few more settings from being set from mods
Of those settings main_menu_script has concrete security impact, the rest are added out of abundance of caution.
-rw-r--r--src/script/lua_api/l_settings.cpp21
1 files changed, 17 insertions, 4 deletions
diff --git a/src/script/lua_api/l_settings.cpp b/src/script/lua_api/l_settings.cpp
index 14398dda2..3f3fda56e 100644
--- a/src/script/lua_api/l_settings.cpp
+++ b/src/script/lua_api/l_settings.cpp
@@ -27,9 +27,11 @@ with this program; if not, write to the Free Software Foundation, Inc.,
#include "log.h"
-/* This protects:
- * 'secure.*' settings from being set
- * some mapgen settings from being set
+/* This protects the following from being set:
+ * 'secure.*' settings
+ * some security-relevant settings
+ * (better solution pending)
+ * some mapgen settings
* (not security-criticial, just to avoid messing up user configs)
*/
#define CHECK_SETTING_SECURITY(L, name) \
@@ -41,7 +43,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
static inline int checkSettingSecurity(lua_State* L, const std::string &name)
{
if (ScriptApiSecurity::isSecure(L) && name.compare(0, 7, "secure.") == 0)
- throw LuaError("Attempt to set secure setting.");
+ throw LuaError("Attempted to set secure setting.");
bool is_mainmenu = false;
#ifndef SERVER
@@ -54,6 +56,17 @@ static inline int checkSettingSecurity(lua_State* L, const std::string &name)
return -1;
}
+ const char *disallowed[] = {
+ "main_menu_script", "shader_path", "texture_path", "screenshot_path",
+ "serverlist_file", "serverlist_url", "map-dir", "contentdb_url",
+ };
+ if (!is_mainmenu) {
+ for (const char *name2 : disallowed) {
+ if (name == name2)
+ throw LuaError("Attempted to set disallowed setting.");
+ }
+ }
+
return 0;
}