missing formspec escapes #5925
Labels
No Label
1. kind/balancing
1. kind/breaking
1. kind/bug
1. kind/construction
1. kind/documentation
1. kind/enhancement
1. kind/griefing
1. kind/invalid
1. kind/meme
1. kind/node limit
1. kind/other
1. kind/protocol
2. prio/controversial
2. prio/critical
2. prio/elevated
2. prio/good first issue
2. prio/interesting
2. prio/low
3. source/art
3. source/client
3. source/engine
3. source/ingame
3. source/integration
3. source/lag
3. source/license
3. source/mod upstream
3. source/unknown
3. source/website
4. step/approved
4. step/at work
4. step/blocked
4. step/discussion
4. step/help wanted
4. step/needs confirmation
4. step/partially fixed
4. step/question
4. step/ready to deploy
4. step/ready to QA test
4. step/want approval
5. result/cannot reproduce
5. result/duplicate
5. result/fixed
5. result/maybe
5. result/wontfix
ugh/petz
ugh/QA main
ugh/QA NOK
ugh/QA OK
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: your-land/bugtracker#5925
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
seeing #5921 & #5920 I remember that I once found a missing formspec escape.
I showed Alias, but forgot to report it here.
I later did a grep for bad formspec patterns (which produced lots of false positives) and can add some more:
Mind to share your grep, so we (and other servers) can reproduce it on their code?
Forgot the exact command. Was on my old laptop.
I might find it in the bash history there, but I won't have access to that machine before tomorrow night.
i don't think this sort of bug is easily grep-able, though it could be detected with good integration testing. "wishes for 2024"
very true, around >90% of my grep are false-positive...
first attemp:
grep -r -n ";\"[\n ]*\.\."
(eg. grep for;" ..
since that's what most people use to create formspecs)Note that this won't catch formspecs build with
string.format
(I sometimes use this methods, but I haven't seen it somewhere else).doesn't work if someone starts their concatenation without a ; in the end of their formspec strings.
But this pattern creates way too much false-positives.
From looking into the result, I noticed that many modders formspec-escape while building the fs-string, so I changed the pattern to
grep -r -n ";\"[\n ]*\.\.[^(]*]"
Note that there are still tons of false positives (As mentioned in my first comment)
this pattern might also let some bad boys through, but will therefore remove many false positives.
Soo...
I don't really see a good way to find missing formspec escapes.
some patterns might help to find places where formspecs are build.
bad boys might still not be found by this pattern, but I've never seen such a bad boy (eg. I'm quite sure they don't exist / The cost/benefit ratio is not worth looking for them)
The grep output to find the examples in my first comment was around 100-200 lines. (But I used the first pattern, which included way more false positves (learned a lot about patterns since these days)
If the grep output from YL is <
1k<500 lines, I would volunteer to check them out and document my results here.started to fix some of the known problems:
not sure about mobs_core (according to /mods it's on YL): https://content.minetest.net/packages/mt-mods/mob_core/ says it is no longer supported. Their mobs_core:nametag is also affected. But I guess they are not obtainable on YL? (at least I can't find them in the crafting grid...)
We're throwing out mob_core, don't bother
petz upstream is merged
mobs redo is fixed too.
Had to fix my PR to moremesecons bc. I made it before I saw #6038 and therefore made the same mistake... But now it's fixed too...
QA
All three mentioned mods have their fs escaped properly, I can't add funny stuff :)
live