diff options
| author | red-001 <red-001@outlook.ie> | 2018-02-18 21:33:42 +0000 |
|---|---|---|
| committer | Loïc Blot <nerzhul@users.noreply.github.com> | 2018-02-18 22:33:42 +0100 |
| commit | 4bb41a19dc74fa31cb021dc3b5622814d67fbd6f (patch) | |
| tree | 6feeb93fb40c041907250e045cf54643c1b3821d /src/server.cpp | |
| parent | 63bcd3303622d52770fc54a4cbff07206f77d8cf (diff) | |
| download | minetest-4bb41a19dc74fa31cb021dc3b5622814d67fbd6f.tar.gz minetest-4bb41a19dc74fa31cb021dc3b5622814d67fbd6f.tar.bz2 minetest-4bb41a19dc74fa31cb021dc3b5622814d67fbd6f.zip | |
Mitigate formspec exploits by verifying that the formspec was shown to the user by the server. (#6878)
This doesn't check the fields in anyway whatsoever so it should only be seen as a way to mitigate exploits, a last line of defense to make it harder to exploit bugs in mods, not as a reason to not do all the usually checks.
Diffstat (limited to 'src/server.cpp')
| -rw-r--r-- | src/server.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/server.cpp b/src/server.cpp index 00fd8565a..24fbb38c8 100644 --- a/src/server.cpp +++ b/src/server.cpp @@ -1571,8 +1571,10 @@ void Server::SendShowFormspecMessage(session_t peer_id, const std::string &forms NetworkPacket pkt(TOCLIENT_SHOW_FORMSPEC, 0 , peer_id); if (formspec.empty()){ //the client should close the formspec + m_formspec_state_data.erase(peer_id); pkt.putLongString(""); } else { + m_formspec_state_data[peer_id] = formname; pkt.putLongString(FORMSPEC_VERSION_STRING + formspec); } pkt << formname; @@ -2660,6 +2662,9 @@ void Server::DeleteClient(session_t peer_id, ClientDeletionReason reason) ++i; } + // clear formspec info so the next client can't abuse the current state + m_formspec_state_data.erase(peer_id); + RemotePlayer *player = m_env->getPlayer(peer_id); /* Run scripts and remove from environment */ |