Edit signs without interact priv?!?

Post Reply
BBmine
Member
Posts: 3476
Joined: Sun Jul 12, 2015 22:51
GitHub: BBmine
IRC: BBmine
In-game: Baggins
Location: USA

Edit signs without interact priv?!?

by BBmine » Post

Hey, as default on my Hommies server, players do not have interact. The server is on minetesthosting.com and 0.4.14. Somebody WITHOUT interact privs edited different signs around spawn.

BTW, I thought I had posted this before, but either (A) I really didn't, (B) I did, but the forums have a bug, or (C) an admin/moderator deleted it. :P

User avatar
addi
Member
Posts: 666
Joined: Thu Sep 20, 2012 03:16
GitHub: adrido
Location: Black-Forest, Germany

Re: Edit signs without interact priv?!?

by addi » Post

hmm looks like that old bug is back: https://github.com/minetest/minetest_game/issues/210
Maybe in combination with a manipulated client

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: Edit signs without interact priv?!?

by sorcerykid » Post

Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all

                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,

BBmine
Member
Posts: 3476
Joined: Sun Jul 12, 2015 22:51
GitHub: BBmine
IRC: BBmine
In-game: Baggins
Location: USA

Re: Edit signs without interact priv?!?

by BBmine » Post

sorcerykid wrote:Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all

                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,
It was not protected because I use the free version of that hosting service, which only includes vanilla and external_cmd. Maybe I should stop having my furnaces stuffed......

Oh also, I tried banning the guy who did that, but because he was not online at the time, it wouldn't ban him >:(

BBmine
Member
Posts: 3476
Joined: Sun Jul 12, 2015 22:51
GitHub: BBmine
IRC: BBmine
In-game: Baggins
Location: USA

Re: Edit signs without interact priv?!?

by BBmine » Post

I just did a test with a client that has no interact privs. I can't even right-click on anything. Not even signs. So either that player was cheating, or he had an old, dumb client. The trick is how to ban him. :P

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: Edit signs without interact priv?!?

by sorcerykid » Post

Thanks for the heads up. It looks like right-clicking is indeed disabled once interact is revoked. That is very good to know.

BBmine
Member
Posts: 3476
Joined: Sun Jul 12, 2015 22:51
GitHub: BBmine
IRC: BBmine
In-game: Baggins
Location: USA

Re: Edit signs without interact priv?!?

by BBmine » Post

Oh, if you want to test it with different clients, the server is: minetesthosting.com PORT: 30352 :)

You will have no interact by default, unless I already granted you interact, in which case, create another account.

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests