Skip to content
Permalink
Browse files

Protect per-player detached inventory actions

  • Loading branch information
SmallJoker committed Mar 7, 2021
1 parent d9b78d6 commit fc864029b9635106a5390aa09d227d7dac31d1a5
Showing with 18 additions and 1 deletion.
  1. +5 −1 src/network/serverpackethandler.cpp
  2. +12 −0 src/server/serverinventorymgr.cpp
  3. +1 −0 src/server/serverinventorymgr.h
@@ -626,14 +626,18 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)

const bool player_has_interact = checkPriv(player->getName(), "interact");

auto check_inv_access = [player, player_has_interact] (
auto check_inv_access = [player, player_has_interact, this] (
const InventoryLocation &loc) -> bool {
if (loc.type == InventoryLocation::CURRENT_PLAYER)
return false; // Only used internally on the client, never sent
if (loc.type == InventoryLocation::PLAYER) {
// Allow access to own inventory in all cases
return loc.name == player->getName();
}
if (loc.type == InventoryLocation::DETACHED) {
if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
return false;
}

if (!player_has_interact) {
infostream << "Cannot modify foreign inventory: "
@@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
return true;
}

bool ServerInventoryManager::checkDetachedInventoryAccess(
const InventoryLocation &loc, const std::string &player) const
{
SANITY_CHECK(loc.type == InventoryLocation::DETACHED);

const auto &inv_it = m_detached_inventories.find(loc.name);
if (inv_it == m_detached_inventories.end())
return false;

return inv_it->second.owner.empty() || inv_it->second.owner == player;
}

void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb)
@@ -43,6 +43,7 @@ class ServerInventoryManager : public InventoryManager
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
const std::string &player = "");
bool removeDetachedInventory(const std::string &name);
bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;

void sendDetachedInventories(const std::string &peer_name, bool incremental,
std::function<void(const std::string &, Inventory *)> apply_cb);

0 comments on commit fc86402

Please sign in to comment.