Prevent players accessing inventories of other players #10341
Conversation
|
Nice, that's another cheat from my hackclient patched (see #10340 ) |
|
Player inventories are only sent to the correct player. I see this is needed, but not how you'd get that inventory list in first place. |
You don't need to have that list, you can guess where items are This is a classic example of a Time of Check is not Time of Use vulnerability - the inventory owner is checked when sending inventories (kinda), but not on inventory actions |
|
My approval still stands |
rubenwardy
changed the title
|
Nice, the inventory exploit I found is patched. |
|
We'd be grateful for reports in the future, I know that's less fun :D |
I emailed a core dev about it instead of reporting it publicly because I didn't want somebody seeing the issue and wiping everyone's inventories on servers. But it seems the email wasn't noticed. Is there a way to report bugs privately that gets noticed? |
|
Talking to a core developer privately on IRC is another option, when you get a reply you can be sure your report was seen. |
|
Ah ok, thanks for that - we need to work on our communication |
|
https://github.com/minetest/minetest/security/policy Thought that tab allowed in-Github reports, guess not |
|
Oh nice, you can draft the advisory privately and then publish it |
|
Needs to be done for detached inventorys as well. |
Impossible. Detached inventories are meant to be accessible. Only mods can and have to implement meaningful restrictions, such as range or ownership. |
|
I'm referring to detached inventorys which were specifically meant for only one player. These are also only sent to this one. |
Title says it all. Fixes this cheat. Unfortunately also requires invhack mods to implement workarounds, but they seem to already be doing this.