your-land/bugtracker
your-land
/
bugtracker
44
20
Code Issues 2.5k Projects 2 Wiki

missing formspec escapes #5925

New Issue
Closed
opened 2024-01-06 22:31:37 +00:00 by tour · 11 comments
tour commented 2024-01-06 22:31:37 +00:00
Copy Link

seeing #5921 & #5920 I remember that I once found a missing formspec escape.
I showed Alias, but forgot to report it here.

I later did a grep for bad formspec patterns (which produced lots of false positives) and can add some more:

  • locks
  • mobs_core and mobs_redo nametag
  • moremesecons craftable command block
  • petz christmas present
seeing #5921 & #5920 I remember that I once found a missing formspec escape. I showed Alias, but forgot to report it here. I later did a grep for bad formspec patterns (which produced lots of false positives) and can add some more: - locks - mobs_core and mobs_redo nametag - moremesecons craftable command block - petz christmas present
👍 5
AliasAlreadyTaken added the
1. kind/bug
3. source/mod upstream
 labels 2024-01-06 22:49:53 +00:00
AliasAlreadyTaken commented 2024-01-06 22:50:15 +00:00
Owner
Copy Link

Mind to share your grep, so we (and other servers) can reproduce it on their code?

Mind to share your grep, so we (and other servers) can reproduce it on their code?
tour commented 2024-01-06 22:54:47 +00:00
Author
Copy Link

Forgot the exact command. Was on my old laptop.
I might find it in the bash history there, but I won't have access to that machine before tomorrow night.

Forgot the exact command. Was on my old laptop. I might find it in the bash history there, but I won't have access to that machine before tomorrow night.
👍 1
flux added the
2. prio/critical
 label 2024-01-07 02:27:45 +00:00
flux commented 2024-01-07 02:28:50 +00:00
Member
Copy Link

i don't think this sort of bug is easily grep-able, though it could be detected with good integration testing. "wishes for 2024"

i don't think this sort of bug is easily grep-able, though it could be detected with good integration testing. "wishes for 2024"
👍 1
tour commented 2024-01-07 21:10:14 +00:00
Author
Copy Link

i don't think this sort of bug is easily grep-able

very true, around >90% of my grep are false-positive...

first attemp: grep -r -n ";\"[\n ]*\.\." (eg. grep for ;" .. since that's what most people use to create formspecs)
Note that this won't catch formspecs build with string.format (I sometimes use this methods, but I haven't seen it somewhere else).
doesn't work if someone starts their concatenation without a ; in the end of their formspec strings.

But this pattern creates way too much false-positives.
From looking into the result, I noticed that many modders formspec-escape while building the fs-string, so I changed the pattern to
grep -r -n ";\"[\n ]*\.\.[^(]*]"
Note that there are still tons of false positives (As mentioned in my first comment)
this pattern might also let some bad boys through, but will therefore remove many false positives.

Soo...
I don't really see a good way to find missing formspec escapes.
some patterns might help to find places where formspecs are build.
bad boys might still not be found by this pattern, but I've never seen such a bad boy (eg. I'm quite sure they don't exist / The cost/benefit ratio is not worth looking for them)

The grep output to find the examples in my first comment was around 100-200 lines. (But I used the first pattern, which included way more false positves (learned a lot about patterns since these days)
If the grep output from YL is <1k <500 lines, I would volunteer to check them out and document my results here.

> i don't think this sort of bug is easily grep-able very true, around >90% of my grep are false-positive... first attemp: `grep -r -n ";\"[\n ]*\.\."` (eg. grep for `;" ..` since that's what most people use to create formspecs) Note that this won't catch formspecs build with `string.format` (I sometimes use this methods, but I haven't seen it somewhere else). doesn't work if someone starts their concatenation without a ; in the end of their formspec strings. But this pattern creates **way too much** false-positives. From looking into the result, I noticed that many modders formspec-escape while building the fs-string, so I changed the pattern to `grep -r -n ";\"[\n ]*\.\.[^(]*]"` Note that there are still tons of false positives (As mentioned in my first comment) this pattern might also let some bad boys through, but will therefore remove many false positives. Soo... I don't really see a good way to find missing formspec escapes. some patterns might help to find places where formspecs are build. bad boys might still not be found by this pattern, but I've never seen such a bad boy (eg. I'm quite sure they don't exist / The cost/benefit ratio is not worth looking for them) The grep output to find the examples in my first comment was around 100-200 lines. (But I used the first pattern, which included way more false positves (learned a lot about patterns since these days) If the grep output from YL is <~~1k~~ <500 lines, I would volunteer to check them out and document my results here.
tour commented 2024-01-21 01:39:08 +00:00
Author
Copy Link

started to fix some of the known problems:

started to fix some of the known problems: - petz (already merged while writing this): https://github.com/runsy/petz/pull/207 - moremesecons (craftable command block): https://github.com/minetest-mods/MoreMesecons/pull/34 - mobs redo: https://codeberg.org/tenplus1/mobs_redo/pulls/9 not sure about mobs_core (according to /mods it's on YL): https://content.minetest.net/packages/mt-mods/mob_core/ says it is no longer supported. Their mobs_core:nametag is also affected. But I guess they are not obtainable on YL? (at least I can't find them in the crafting grid...)
AliasAlreadyTaken commented 2024-01-21 01:44:42 +00:00
Owner
Copy Link

We're throwing out mob_core, don't bother

We're throwing out mob_core, don't bother
flux added the
4. step/ready to QA test
4. step/partially fixed
 labels 2024-01-21 23:14:02 +00:00
flux commented 2024-01-21 23:14:53 +00:00
Member
Copy Link

petz upstream is merged

petz upstream is merged
👍 1
tour commented 2024-01-21 23:32:57 +00:00
Author
Copy Link

mobs redo is fixed too.

mobs redo is fixed too.
👍 1
tour commented 2024-01-23 20:09:18 +00:00
Author
Copy Link

Had to fix my PR to moremesecons bc. I made it before I saw #6038 and therefore made the same mistake... But now it's fixed too...

Had to fix my PR to moremesecons bc. I made it before I saw #6038 and therefore made the same mistake... But now it's fixed too...
AliasAlreadyTaken added this to the 1.1.123 milestone 2024-01-24 04:51:47 +00:00
AliasAlreadyTaken commented 2024-01-28 12:50:29 +00:00
Owner
Copy Link

QA

All three mentioned mods have their fs escaped properly, I can't add funny stuff :)

QA All three mentioned mods have their fs escaped properly, I can't add funny stuff :)
AliasAlreadyTaken added the
ugh/QA OK
 label 2024-01-28 12:50:33 +00:00
flux added
5. result/fixed
 and removed
4. step/ready to QA test
4. step/partially fixed
 labels 2024-03-28 20:18:20 +00:00
flux commented 2024-03-28 20:18:43 +00:00
Member
Copy Link

live

live
flux closed this issue 2024-03-28 20:18:43 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
1. kind/balancing

Depends on balancing

  
1. kind/breaking

something that alters or disables an existing game mechanic

  
1. kind/bug

Something is not working

  
1. kind/construction

A build needs fixing

  
1. kind/documentation

Needs proper documentation

  
1. kind/enhancement

New feature

  
1. kind/griefing

players despoiling builds or nature

  
1. kind/invalid

Not a valid report, e.g. created by mistake with no content.

  
1. kind/meme

issue is mostly a joke

  
1. kind/node limit

something which works for or against the node limit

  
1. kind/other

Something not within the other kinds

  
1. kind/protocol

something concerning how staff should react to player requests, or how players should treat each other

  
2. prio/controversial

not likely to happen w/out a lot of discussion

  
2. prio/critical

Very important

  
2. prio/elevated

something players are eager to have fixed

  
2. prio/good first issue

the resolution to this is could be done by a new minetest contributor, who doesn't yet understand the mod ecosystem

  
2. prio/interesting

one of us has real interest in getting this implemented or fixed. however, more research might be needed.

  
2. prio/low

Not so important

  
3. source/art

art needs to be created or found for this to exist. includes sound, 3d modelling, and in-game building.

  
3. source/client

Issue is with the minetest client, or with player client configuration or the technical details of their setup

  
3. source/engine

Issue is due to a bug or feature of the minetest engine

  
3. source/ingame

Problem and solution exist in-game, e.g. builds or player moderation

  
3. source/integration

Two or more nonbuggy mechanics conflict, or our attempts to rectify conflicting mechanics have created a new bug

  
3. source/lag

A problem which is caused or made worse by lag, due to server processing issues, client processing issues, or network issues

  
3. source/license

A licensing problem is involved

  
3. source/mod upstream

Problem is upstream (not engine/client)

  
3. source/unknown

   
3. source/website

Affects the website

  
4. step/approved

Alias has approved this feature, someone should implement it

  
4. step/at work

Being worked on

  
4. step/blocked

we plan to do this, but other work has to be finished first

  
4. step/discussion

issue is under discussion, a solution has not been dictated or agreed upon

  
4. step/help wanted

Need some help

  
4. step/needs confirmation

   
4. step/partially fixed

this is mitigated or partially solved, but more work needs to be done

  
4. step/question

More information is needed

  
4. step/ready to deploy

has been QA tested by another person. has no outstanding issues. might be installed on prod, but needs final testing

  
4. step/ready to QA test

the code is supposedly fixed, but needs to be tested.

  
4. step/want approval

Someone can quickly implement this if Alias approves the change/feature

  
5. result/cannot reproduce

   
5. result/duplicate

This issue or pull request already exists

  
5. result/fixed

problem is fixed

  
5. result/maybe

not planned currently, but maybe some day

  
5. result/wontfix

the reported issue won't be changed, whether it's intentional or not.

  
ugh/petz

yet another petz bugz.

  
ugh/QA main

That's something we can only wait and see whether it hapens again: On the main server

  
ugh/QA NOK

Fix didn't yield the expected results

  
ugh/QA OK

tested

No Label
1. kind/balancing
1. kind/breaking
1. kind/bug
1. kind/construction
1. kind/documentation
1. kind/enhancement
1. kind/griefing
1. kind/invalid
1. kind/meme
1. kind/node limit
1. kind/other
1. kind/protocol
2. prio/controversial
2. prio/critical
2. prio/elevated
2. prio/good first issue
2. prio/interesting
2. prio/low
3. source/art
3. source/client
3. source/engine
3. source/ingame
3. source/integration
3. source/lag
3. source/license
3. source/mod upstream
3. source/unknown
3. source/website
4. step/approved
4. step/at work
4. step/blocked
4. step/discussion
4. step/help wanted
4. step/needs confirmation
4. step/partially fixed
4. step/question
4. step/ready to deploy
4. step/ready to QA test
4. step/want approval
5. result/cannot reproduce
5. result/duplicate
5. result/fixed
5. result/maybe
5. result/wontfix
ugh/petz
ugh/QA main
ugh/QA NOK
ugh/QA OK
Milestone
Clear milestone
No items
No Milestone
1.1.123
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: your-land/bugtracker#5925
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?