Skip to content

Commit fc86402

Browse files
SmallJokerSmallJoker
committed
Protect per-player detached inventory actions
1 parent d9b78d6 commit fc86402

File tree

3 files changed

+18
-1
lines changed

3 files changed

+18
-1
lines changed

src/network/serverpackethandler.cpp

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -626,14 +626,18 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
626626

627627
const bool player_has_interact = checkPriv(player->getName(), "interact");
628628

629-
auto check_inv_access = [player, player_has_interact] (
629+
auto check_inv_access = [player, player_has_interact, this] (
630630
const InventoryLocation &loc) -> bool {
631631
if (loc.type == InventoryLocation::CURRENT_PLAYER)
632632
return false; // Only used internally on the client, never sent
633633
if (loc.type == InventoryLocation::PLAYER) {
634634
// Allow access to own inventory in all cases
635635
return loc.name == player->getName();
636636
}
637+
if (loc.type == InventoryLocation::DETACHED) {
638+
if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
639+
return false;
640+
}
637641

638642
if (!player_has_interact) {
639643
infostream << "Cannot modify foreign inventory: "

src/server/serverinventorymgr.cpp

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
168168
return true;
169169
}
170170

171+
bool ServerInventoryManager::checkDetachedInventoryAccess(
172+
const InventoryLocation &loc, const std::string &player) const
173+
{
174+
SANITY_CHECK(loc.type == InventoryLocation::DETACHED);
175+
176+
const auto &inv_it = m_detached_inventories.find(loc.name);
177+
if (inv_it == m_detached_inventories.end())
178+
return false;
179+
180+
return inv_it->second.owner.empty() || inv_it->second.owner == player;
181+
}
182+
171183
void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
172184
bool incremental,
173185
std::function<void(const std::string &, Inventory *)> apply_cb)

src/server/serverinventorymgr.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ class ServerInventoryManager : public InventoryManager
4343
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
4444
const std::string &player = "");
4545
bool removeDetachedInventory(const std::string &name);
46+
bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;
4647

4748
void sendDetachedInventories(const std::string &peer_name, bool incremental,
4849
std::function<void(const std::string &, Inventory *)> apply_cb);

0 commit comments

Comments
 (0)