Permalink
Browse files

Fix item duplication vulnerability

  • Loading branch information...
micheal65536 committed Feb 11, 2018
1 parent 7226dd6 commit fe1db91d0c3cd5ec6bc8fb0c3c3f495f0f3327f7
Showing with 81 additions and 26 deletions.
  1. +3 −0 3d_armor/README.txt
  2. +60 −12 3d_armor/api.lua
  3. +18 −14 3d_armor/init.lua
@@ -68,6 +68,9 @@ armor_fire_protect = false
-- Enable punch damage effects.
armor_punch_damage = true
-- Enable migration of old armor inventories
armor_migrate_old_inventory = true
API
---
@@ -72,6 +72,7 @@ armor = {
on_damage = {},
on_destroy = {},
},
migrate_old_inventory = true,
version = "0.4.10",
}
@@ -174,7 +175,7 @@ armor.update_player_visuals = function(self, player)
end
armor.set_player_armor = function(self, player)
local name, player_inv = self:get_valid_player(player, "[set_player_armor]")
local name, armor_inv = self:get_valid_player(player, "[set_player_armor]")
if not name then
return
end
@@ -199,7 +200,7 @@ armor.set_player_armor = function(self, player)
change[group] = 1
levels[group] = 0
end
local list = player_inv:get_list("armor")
local list = armor_inv:get_list("armor")
if type(list) ~= "table" then
return
end
@@ -297,15 +298,15 @@ armor.set_player_armor = function(self, player)
end
armor.punch = function(self, player, hitter, time_from_last_punch, tool_capabilities)
local name, player_inv = self:get_valid_player(player, "[punch]")
local name, armor_inv = self:get_valid_player(player, "[punch]")
if not name then
return
end
local state = 0
local count = 0
local recip = true
local default_groups = {cracky=3, snappy=3, choppy=3, crumbly=3, level=1}
local list = player_inv:get_list("armor")
local list = armor_inv:get_list("armor")
for i, stack in pairs(list) do
if stack:get_count() == 1 then
local name = stack:get_name()
@@ -427,6 +428,57 @@ armor.get_armor_formspec = function(self, name, listring)
return formspec
end
armor.serialize_inventory_list = function(self, list)
local list_table = {}
for _, stack in ipairs(list) do
table.insert(list_table, stack:to_string())
end
return minetest.serialize(list_table)
end
armor.deserialize_inventory_list = function(self, list_string)
local list_table = minetest.deserialize(list_string)
local list = {}
for _, stack in ipairs(list_table or {}) do
table.insert(list, ItemStack(stack))
end
return list
end
armor.load_armor_inventory = function(self, player)
local msg = "[load_armor_inventory]"
local name = player:get_player_name()
if not name then
minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
return
end
local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
if not armor_inv then
minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
return
end
local armor_list_string = player:get_attribute("3d_armor_inventory")
if armor_list_string then
armor_inv:set_list("armor", self:deserialize_inventory_list(armor_list_string))
return true
end
end
armor.save_armor_inventory = function(self, player)
local msg = "[save_armor_inventory]"
local name = player:get_player_name()
if not name then
minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
return
end
local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
if not armor_inv then
minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
return
end
player:set_attribute("3d_armor_inventory", self:serialize_inventory_list(armor_inv:get_list("armor")))
end
armor.update_inventory = function(self, player)
-- DEPRECATED: Legacy inventory support
end
@@ -438,17 +490,13 @@ armor.set_inventory_stack = function(self, player, i, stack)
minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
return
end
local player_inv = player:get_inventory()
local armor_inv = minetest.get_inventory({type="detached", name=name.."_armor"})
if not player_inv then
minetest.log("warning", S("3d_armor: Player inventory is nil @1", msg))
return
elseif not armor_inv then
if not armor_inv then
minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
return
end
player_inv:set_stack("armor", i, stack)
armor_inv:set_stack("armor", i, stack)
self:save_armor_inventory(player)
end
armor.get_valid_player = function(self, player, msg)
@@ -462,9 +510,9 @@ armor.get_valid_player = function(self, player, msg)
minetest.log("warning", S("3d_armor: Player name is nil @1", msg))
return
end
local inv = player:get_inventory()
local inv = minetest.get_inventory({type="detached", name=name.."_armor"})
if not inv then
minetest.log("warning", S("3d_armor: Player inventory is nil @1", msg))
minetest.log("warning", S("3d_armor: Detached armor inventory is nil @1", msg))
return
end
return name, inv
@@ -111,27 +111,23 @@ end)
local function init_player_armor(player)
local name = player:get_player_name()
local player_inv = player:get_inventory()
local pos = player:getpos()
if not name or not player_inv or not pos then
if not name or not pos then
return false
end
local armor_inv = minetest.create_detached_inventory(name.."_armor", {
on_put = function(inv, listname, index, stack, player)
player:get_inventory():set_stack(listname, index, stack)
armor:save_armor_inventory(player)
armor:run_callbacks("on_equip", player, index, stack)
armor:set_player_armor(player)
end,
on_take = function(inv, listname, index, stack, player)
player:get_inventory():set_stack(listname, index, nil)
armor:save_armor_inventory(player)
armor:run_callbacks("on_unequip", player, index, stack)
armor:set_player_armor(player)
end,
on_move = function(inv, from_list, from_index, to_list, to_index, count, player)
local plaver_inv = player:get_inventory()
local stack = inv:get_stack(to_list, to_index)
player_inv:set_stack(to_list, to_index, stack)
player_inv:set_stack(from_list, from_index, nil)
armor:save_armor_inventory(player)
armor:set_player_armor(player)
end,
allow_put = function(inv, listname, index, stack, player)
@@ -158,10 +154,18 @@ local function init_player_armor(player)
end,
}, name)
armor_inv:set_size("armor", 6)
player_inv:set_size("armor", 6)
if not armor:load_armor_inventory(player) and armor.migrate_old_inventory then
local player_inv = player:get_inventory()
player_inv:set_size("armor", 6)
for i=1, 6 do
local stack = player_inv:get_stack("armor", i)
armor_inv:set_stack("armor", i, stack)
end
armor:save_armor_inventory(player)
player_inv:set_size("armor", 0)
end
for i=1, 6 do
local stack = player_inv:get_stack("armor", i)
armor_inv:set_stack("armor", i, stack)
local stack = armor_inv:get_stack("armor", i)
armor:run_callbacks("on_equip", player, i, stack)
end
armor.def[name] = {
@@ -256,13 +260,13 @@ end)
if armor.config.drop == true or armor.config.destroy == true then
minetest.register_on_dieplayer(function(player)
local name, player_inv = armor:get_valid_player(player, "[on_dieplayer]")
local name, armor_inv = armor:get_valid_player(player, "[on_dieplayer]")
if not name then
return
end
local drop = {}
for i=1, player_inv:get_size("armor") do
local stack = player_inv:get_stack("armor", i)
for i=1, armor_inv:get_size("armor") do
local stack = armor_inv:get_stack("armor", i)
if stack:get_count() > 0 then
table.insert(drop, stack)
armor:set_inventory_stack(player, i, nil)

0 comments on commit fe1db91

Please sign in to comment.