Is deserialize secure?

Post Reply
User avatar
debiankaios
Member
Posts: 910
Joined: Thu Dec 03, 2020 12:48
IRC: debiankaios
In-game: debiankaios Nowe
Location: germany
Contact:
Contact debiankaios

Is deserialize secure?

by debiankaios » Post

If anyone edit the serialized files that a virus will downloaded and started(yes it's possible in lua) will that in deseralize process blocked. I found that bytecode will blocked and if i try to let anything to print from the file it don't work to. Is serializing secure?
User avatar
rubenwardy
Moderator
Posts: 6978
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:
Contact rubenwardy

Re: Is deserialize secure?

by rubenwardy » Post

No, passing untrusted strings to minetest.deserialize can allow malicious users to freeze the server, and before 5.2 allows them to run any Lua code in the server environment

You should only pass strings that have been created by minetest.serialize. It's fine to pass user input to that function, and then to deserialize
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader
User avatar
debiankaios
Member
Posts: 910
Joined: Thu Dec 03, 2020 12:48
IRC: debiankaios
In-game: debiankaios Nowe
Location: germany
Contact:
Contact debiankaios

Re: Is deserialize secure?

by debiankaios » Post

rubenwardy wrote:
Tue Mar 15, 2022 12:06
 You should only pass strings that have been created by minetest.serialize. It's fine to pass user input to that function, and then to deserialize
But how can i sure that it get serialized first?
Post Reply

Return to “Feature Discussion”



Who is online

Users browsing this forum: No registered users and 8 guests