mrminer reports: digiliens adv touchscreen shou ... #4876

New Issue

yourland-report · 2023-07-01T20:31:25Z

yourland-report commented

2023-07-01 20:31:25 +00:00

mrminer reports a bug:

digiliens adv touchscreen should be craftable

Player position:

{
	y = 52,
	z = 378.73199462891,
	x = 2888.0480957031
}

Player look:

{
	y = 0.039957400411367,
	z = 0.43770712614059,
	x = 0.8982293009758
}

Player information:

{
	formspec_version = 6,
	lang_code = "",
	protocol_version = 42,
	minor = 7,
	state = "Active",
	version_string = "5.7.0",
	major = 5,
	max_rtt = 1.6180000305176,
	ip_version = 6,
	min_rtt = 0.1140000000596,
	avg_rtt = 0.12300000339746,
	min_jitter = 0,
	max_jitter = 1.4930000305176,
	avg_jitter = 0.0030000060796738,
	connection_uptime = 566,
	serialization_version = 29,
	patch = 0
}

Player meta:

{
	fields = {
		arenalib_infobox_arenaID = "0",
		["stamina:level"] = "12",
		xp = "58358",
		yl_commons_thankyou = "71",
		["stamina:exhaustion"] = "76.5",
		["hud_manager:choppy:waypoint_enabled"] = "y",
		digged_nodes = "128358",
		placed_nodes = "47715",
		died = "634",
		crafted = "29062",
		yl_commons_player_created = "1646186882",
		yl_commons_player_joined = "1688242939",
		["signslib:pos"] = "(2917,72,289)",
		["petz:old_override_table"] = "return {[\"new_move\"] = true, [\"jump\"] = 1.5, [\"gravity\"] = 1, [\"sneak_glitch\"] = false, [\"speed\"] = 2, [\"sneak\"] = true}",
		["petz:werewolf_clan_idx"] = "4",
		["unified_inventory:bags"] = "return {\"unified_inventory:bag_large\", \"unified_inventory:bag_large\", \"unified_inventory:bag_large\", \"unified_inventory:bag_large\"}",
		repellant = "0",
		["ocean_build.last_warning"] = "1.6733e+09",
		["ocean_build.forbidden"] = "true",
		["ocean_build.ocean_built"] = "12",
		["3d_armor_inventory"] = "return {\"3d_armor:helmet_nether 1 4400\", \"3d_armor:chestplate_crystal 1 4400\", \"3d_armor:leggings_crystal 1 4400\", \"3d_armor:boots_crystal 1 4400\", \"shields:shield_crystal 1 4400\", \"\"}",
		["petz:werewolf"] = "0",
		jointime = "1646186882",
		bitten = "0",
		punch_count = "22983",
		partychat = "party",
		inflicted_damage = "476624",
		yl_church = "return {[\"last_heal\"] = 1677356984, [\"last_death\"] = {[\"y\"] = 18, [\"z\"] = 1173, [\"x\"] = 1986}, [\"last_death_portal\"] = 1687820074}",
		["petz:lycanthropy"] = "0",
		played_time = "3286685",
		hud_state = "on",
		["stamina:poisoned"] = "no",
		["petz:werewolf_vignette_id"] = "19",
		arenalib_watchID = "0"
	}
}

Log identifier


[MOD] yl_report log identifier = rZcPsu2L2LFtJHDqgy4QEPPDau23yDxu

Profiler save:

profile-20230701T203125.json_prettyEE

Status:

# Server: version: 5.7.0-yl-thx-tmm | game: Minetest Game | uptime: 2d 12h 28min 42s | max lag: 0.534s | clients (23/52): AliasAlreadyTaken, Bailiff, Beth75, betzi, Boot, darealbang, daydream, DragonWrangler1, Ernle1, FireThatFollows, flux, goiaba, HorusDamocles, JeCel, mrminer, NodeBreaker, Ravise, Sacrementum, Service, Shadow, shanish2, whosit, Zerko

Teleport command:

/teleport xyz 2888 52 379

Compass command:

/give_compass Construction rZcPsu2L2LFtJHDqgy4QEPPDau23yDxu D2691E 2888 52 379

mrminer reports a bug: > digiliens adv touchscreen should be craftable Player position: ``` { y = 52, z = 378.73199462891, x = 2888.0480957031 } ``` Player look: ``` { y = 0.039957400411367, z = 0.43770712614059, x = 0.8982293009758 } ``` Player information: ``` { formspec_version = 6, lang_code = "", protocol_version = 42, minor = 7, state = "Active", version_string = "5.7.0", major = 5, max_rtt = 1.6180000305176, ip_version = 6, min_rtt = 0.1140000000596, avg_rtt = 0.12300000339746, min_jitter = 0, max_jitter = 1.4930000305176, avg_jitter = 0.0030000060796738, connection_uptime = 566, serialization_version = 29, patch = 0 } ``` Player meta: ``` { fields = { arenalib_infobox_arenaID = "0", ["stamina:level"] = "12", xp = "58358", yl_commons_thankyou = "71", ["stamina:exhaustion"] = "76.5", ["hud_manager:choppy:waypoint_enabled"] = "y", digged_nodes = "128358", placed_nodes = "47715", died = "634", crafted = "29062", yl_commons_player_created = "1646186882", yl_commons_player_joined = "1688242939", ["signslib:pos"] = "(2917,72,289)", ["petz:old_override_table"] = "return {[\"new_move\"] = true, [\"jump\"] = 1.5, [\"gravity\"] = 1, [\"sneak_glitch\"] = false, [\"speed\"] = 2, [\"sneak\"] = true}", ["petz:werewolf_clan_idx"] = "4", ["unified_inventory:bags"] = "return {\"unified_inventory:bag_large\", \"unified_inventory:bag_large\", \"unified_inventory:bag_large\", \"unified_inventory:bag_large\"}", repellant = "0", ["ocean_build.last_warning"] = "1.6733e+09", ["ocean_build.forbidden"] = "true", ["ocean_build.ocean_built"] = "12", ["3d_armor_inventory"] = "return {\"3d_armor:helmet_nether 1 4400\", \"3d_armor:chestplate_crystal 1 4400\", \"3d_armor:leggings_crystal 1 4400\", \"3d_armor:boots_crystal 1 4400\", \"shields:shield_crystal 1 4400\", \"\"}", ["petz:werewolf"] = "0", jointime = "1646186882", bitten = "0", punch_count = "22983", partychat = "party", inflicted_damage = "476624", yl_church = "return {[\"last_heal\"] = 1677356984, [\"last_death\"] = {[\"y\"] = 18, [\"z\"] = 1173, [\"x\"] = 1986}, [\"last_death_portal\"] = 1687820074}", ["petz:lycanthropy"] = "0", played_time = "3286685", hud_state = "on", ["stamina:poisoned"] = "no", ["petz:werewolf_vignette_id"] = "19", arenalib_watchID = "0" } } ``` Log identifier ``` [MOD] yl_report log identifier = rZcPsu2L2LFtJHDqgy4QEPPDau23yDxu ``` Profiler save: ``` profile-20230701T203125.json_prettyEE ``` Status: ``` # Server: version: 5.7.0-yl-thx-tmm | game: Minetest Game | uptime: 2d 12h 28min 42s | max lag: 0.534s | clients (23/52): AliasAlreadyTaken, Bailiff, Beth75, betzi, Boot, darealbang, daydream, DragonWrangler1, Ernle1, FireThatFollows, flux, goiaba, HorusDamocles, JeCel, mrminer, NodeBreaker, Ravise, Sacrementum, Service, Shadow, shanish2, whosit, Zerko ``` Teleport command: ``` /teleport xyz 2888 52 379 ``` Compass command: ``` /give_compass Construction rZcPsu2L2LFtJHDqgy4QEPPDau23yDxu D2691E 2888 52 379 ```

AliasAlreadyTaken was assigned by yourland-report

2023-07-01 20:31:25 +00:00

AliasAlreadyTaken added the

1. kind/enhancement

1. kind/balancing

labels 2023-07-01 20:48:13 +00:00

AliasAlreadyTaken commented

2023-07-01 20:49:09 +00:00

What does the advanced touchscreen do, in contrast to the normal one?

AliasAlreadyTaken added the

4. step/help wanted

label 2023-07-01 20:49:16 +00:00

whosit commented

2023-07-01 21:26:47 +00:00

	if node.name == "digistuff:advtouchscreen" then
		if type(msg) == "string" then meta:set_string("formspec",msg) end
	else

Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly.

```lua if node.name == "digistuff:advtouchscreen" then if type(msg) == "string" then meta:set_string("formspec",msg) end else ``` Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly.

niceride commented

2023-07-03 07:08:51 +00:00

	if node.name == "digistuff:advtouchscreen" then
		if type(msg) == "string" then meta:set_string("formspec",msg) end
	else
Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly.

Note this is aliased in [https://github.com/mt-mods/digistuff]:

touchscreen.lua:266:minetest.register_alias("digistuff:advtouchscreen", "digistuff:touchscreen")

And I guess what is upstream [https://cheapiesystems.com/git/digistuff] has the extra functionality.

I find a forum thread that does show a direct comparison of touchscreen vs adv touchscreen for setup, at [https://content.minetest.net/threads/719/#reply-3978].

Also reference [https://luk3yx.gitlab.io/minetest-formspec-editor/] for a WYSIWYG formspec designer web app.

> ```lua > if node.name == "digistuff:advtouchscreen" then > if type(msg) == "string" then meta:set_string("formspec",msg) end > else > ``` > Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly. Note this is aliased in [https://github.com/mt-mods/digistuff]: ``` touchscreen.lua:266:minetest.register_alias("digistuff:advtouchscreen", "digistuff:touchscreen") ``` And I guess what is upstream [https://cheapiesystems.com/git/digistuff] has the extra functionality. I find a forum thread that does show a direct comparison of touchscreen vs adv touchscreen for setup, at [https://content.minetest.net/threads/719/#reply-3978]. Also reference [https://luk3yx.gitlab.io/minetest-formspec-editor/] for a WYSIWYG formspec designer web app.

flux commented

2023-07-04 00:16:50 +00:00

	if node.name == "digistuff:advtouchscreen" then
		if type(msg) == "string" then meta:set_string("formspec",msg) end
	else
Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly.

that's rather dangerous, hostile formspecs can cause client crashes or display arbitrary images

> ```lua > if node.name == "digistuff:advtouchscreen" then > if type(msg) == "string" then meta:set_string("formspec",msg) end > else > ``` > Allows to directly set the node formspec... could be exploited in some way probably? Not sure how exactly. that's rather dangerous, hostile formspecs can cause client crashes or display arbitrary images

AliasAlreadyTaken commented

2023-07-04 01:25:12 +00:00

Does msg come unescaped from userinput? Could they call any function in that?

whosit commented

2023-07-04 05:31:03 +00:00

You can set it to arbitrary string via digilines.
https://cheapiesystems.com/git/digistuff/tree/touchscreen.lua#n258
Not sure about executing code, but via that formspec you have access to this:

Inventory locations

    "context": Selected node metadata (deprecated: "current_name")
    "current_player": Player to whom the menu is shown
    "player:<name>": Any player
    "nodemeta:<X>,<Y>,<Z>": Any node metadata
    "detached:<name>": A detached inventory

You can set it to arbitrary string via digilines. https://cheapiesystems.com/git/digistuff/tree/touchscreen.lua#n258 Not sure about executing code, but via that formspec you have access to this: ``` Inventory locations "context": Selected node metadata (deprecated: "current_name") "current_player": Player to whom the menu is shown "player:<name>": Any player "nodemeta:<X>,<Y>,<Z>": Any node metadata "detached:<name>": A detached inventory ```

AliasAlreadyTaken commented

2023-07-04 17:16:44 +00:00

Any node metadata ????
A detached inventory ????

Cuurent player as in "the object ref" ??

Any node metadata ???? A detached inventory ???? Cuurent player as in "the object ref" ??

whosit commented

2023-07-04 17:24:59 +00:00

No, you can just create a formspec of all those inventories... it would still call all the callbacks for them though, so maybe even not as catastrophic for everything X)
But yeah, that's why it's not craftable probably :p

No, you can just create a formspec of all those inventories... it would still call all the callbacks for them though, so maybe even not as catastrophic for everything X) But yeah, that's why it's not craftable probably :p

flux commented

2023-07-05 02:31:12 +00:00

Any node metadata ????
A detached inventory ????

Cuurent player as in "the object ref" ??

right, this is scary. it'd let you see any inventory in the game, and interact w/ any of them if the callbacks aren't restrictive enough. at the very least, it'd let you take stuff out of any of your chests anywhere in the world.

> Any node metadata ???? > A detached inventory ???? > > Cuurent player as in "the object ref" ?? right, this is scary. it'd let you see any inventory in the game, and interact w/ any of them if the callbacks aren't restrictive enough. at the very least, it'd let you take stuff out of any of your chests anywhere in the world.

AliasAlreadyTaken commented

2023-07-05 16:09:15 +00:00

Can we make sure the normal touchscreen does not have those "features" ?

sixer commented

2023-07-05 20:44:02 +00:00

right, this is scary. it'd let you see any inventory in the game, and interact w/ any of them if the callbacks aren't restrictive enough. at the very least, it'd let you take stuff out of any of your chests anywhere in the world.

wouldn't the anticheat prevent that, as you are interacting with inventory from more than allowed distance?

> right, this is scary. it'd let you see any inventory in the game, and interact w/ any of them if the callbacks aren't restrictive enough. at the very least, it'd let you take stuff out of any of your chests anywhere in the world. wouldn't the anticheat prevent that, as you are interacting with inventory from more than allowed distance?

flux commented

2023-07-05 22:28:53 +00:00

wouldn't the anticheat prevent that, as you are interacting with inventory from more than allowed distance?

hmmm i thought it just blocked dig/place and left-click/right-click, possibly it also blocks interact w/ node inventories from a distance? but i don't think it'd block interacting w/ player or detached inventories from a distance?

> wouldn't the anticheat prevent that, as you are interacting with inventory from more than allowed distance? hmmm i thought it just blocked dig/place and left-click/right-click, possibly it also blocks interact w/ node inventories from a distance? but i don't think it'd block interacting w/ player or detached inventories from a distance?

whosit commented

2023-07-10 09:41:42 +00:00

Did some experiments:

yes, I can see any node inventory (even of a locked chest not owned by me)
yes, I can see other player's armor inventory, no, I can't interact
no I can't take stuff from locked chest not owned by me
no I can't take stuff from a chest that I can access normally if it's too far
no I can't see another player's inv, probably because server does not send it to me?
no, I can't see player's bags contents
no, can't create new inventories in random nodes

So, this is not catastrophic, but if inventory does not have right callbacks, can be exploited. Anyway, digistuff:advtouchscreen should not be craftable and accessible to random people.

I think we can close this as wontfix.

Did some experiments: - yes, I can see any node inventory (even of a locked chest not owned by me) - yes, I can see other player's armor inventory, no, I can't interact - no I can't take stuff from locked chest not owned by me - no I can't take stuff from a chest that I _can_ access normally if it's too far - no I can't see another player's inv, probably because server does not send it to me? - no, I can't see player's bags contents - no, can't create new inventories in random nodes So, this is not catastrophic, but if inventory does not have right callbacks, can be exploited. Anyway, `digistuff:advtouchscreen` should not be craftable and accessible to random people. I think we can close this as `wontfix`.

👍 1

niceride commented

2023-07-10 18:50:35 +00:00

Is there any useful case of this for developing Your Land? If not, then alias it away as in the mt-mods repo to avoid accidental use.

flux commented

2023-07-10 22:29:35 +00:00

Is there any useful case of this for developing Your Land? If not, then alias it away as in the mt-mods repo to avoid accidental use.

not that i can think of. if we want to show custom formspec, we can just write a mod.

> Is there any useful case of this for developing Your Land? If not, then alias it away as in the mt-mods repo to avoid accidental use. not that i can think of. if we want to show custom formspec, we can just write a mod.

tour referenced this issue

2023-11-04 12:40:34 +00:00

DragonWrangler1 reports: something wrong with the onlin ... #5453

flux referenced this issue

2024-01-08 04:00:20 +00:00

rheo reports: digistuff:touchscreen can be u ... #5923

flux commented

2024-01-08 04:00:50 +00:00

vote to make this staff-only, ASAP.

flux referenced this issue from a commit

2024-01-08 04:05:46 +00:00

your-land/bugtracker#4876 gate the advanced touchscreen on staff priv

flux commented

2024-01-08 04:06:28 +00:00

i've taken the initiative to gate this on staff priv. if i'm mistaken, it's easy to reverse e84490d36b

i've taken the initiative to gate this on staff priv. if i'm mistaken, it's easy to reverse https://gitea.your-land.de/your-land/mese_restriction/commit/e84490d36bc886380d2678f5e02a597d61dcab9b

👍 1

tour referenced this issue

2024-03-17 08:56:15 +00:00

whosit reports: normal digistuff:touchscreen s ... #6510

Sign in to join this conversation.