From 8c99f2232bdb52459ccf2a5b751cbe3f7797abc3 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Fri, 17 Dec 2021 18:31:29 +0100
Subject: Don't let HTTP API pass through untrusted function

This has been a problem since the first day, oops.
---
 builtin/game/misc.lua | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'builtin/game/misc.lua')

diff --git a/builtin/game/misc.lua b/builtin/game/misc.lua
index ef826eda7..e86efc50c 100644
--- a/builtin/game/misc.lua
+++ b/builtin/game/misc.lua
@@ -250,7 +250,7 @@ end
 
 -- HTTP callback interface
 
-function core.http_add_fetch(httpenv)
+core.set_http_api_lua(function(httpenv)
 	httpenv.fetch = function(req, callback)
 		local handle = httpenv.fetch_async(req)
 
@@ -266,7 +266,8 @@ function core.http_add_fetch(httpenv)
 	end
 
 	return httpenv
-end
+end)
+core.set_http_api_lua = nil
 
 
 function core.close_formspec(player_name, formname)
-- 
cgit v1.2.3