Quiz: Spot 3 security vulnerabilities in this mod

Post Reply
User avatar
rubenwardy
Moderator
Posts: 6297
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: United Kingdom
Contact:

Quiz: Spot 3 security vulnerabilities in this mod

by rubenwardy » Post

api.lua

Code: Select all

mymod = {}

function mymod.send_email(ie, message)
	local cmd = ("echo \"Message: %s\""):format(message)
	ie.os.execute(cmd)
end
init.lua

Code: Select all

dofile(minetest.get_modpath("mymod") .. "/api.lua")

local ie = minetest.request_insecure_environment()
assert(ie, "Add mymod to secure.trusted_mods")

minetest.register_chatcommand("email", {
	func = function(name, param)
		mymod.send_email(ie, param)
	end,
})
Tips 1:
+ Spoiler
Tips 2:
+ Spoiler
Answers:
+ Spoiler

User avatar
DS-minetest
Member
Posts: 1144
Joined: Thu Jun 19, 2014 19:49
GitHub: Desour
IRC: DS-minetest
In-game: DS
Location: I'm scared that if this is too exact, I will be unable to use my keyboard.

Re: Quiz: Spot 3 security vulnerabilities in this mod

by DS-minetest » Post

+ Spoiler
Last edited by DS-minetest on Wed Apr 08, 2020 17:44, edited 2 times in total.
Note that I've recently renamed myself on github and co. to "Desour". (I'm bad at naming things.)
Feel free to call me DS.

User avatar
rubenwardy
Moderator
Posts: 6297
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: United Kingdom
Contact:

Re: Quiz: Spot 3 security vulnerabilities in this mod

by rubenwardy » Post

DS-minetest wrote:
+ Spoiler
+ Spoiler

User avatar
Krock
Developer
Posts: 4572
Joined: Thu Oct 03, 2013 07:48
GitHub: SmallJoker
Location: Switzerland
Contact:

Re: Quiz: Spot 3 security vulnerabilities in this mod

by Krock » Post

Spoiler plus answers (sorry channel!)
Look, I programmed a bug for you. >> Mod Search Engine << - Mods by Krock - DuckDuckGo mod search bang: !mtmod <keyword here>

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Quiz: Spot 3 security vulnerabilities in this mod

by micheal65536 » Post

+ Spoiler

User avatar
Wuzzy
Member
Posts: 4089
Joined: Mon Sep 24, 2012 15:01
GitHub: Wuzzy2
IRC: Wuzzy
In-game: Wuzzy

Re: Quiz: Spot 3 security vulnerabilities in this mod

by Wuzzy » Post

Cool.
My creations. I gladly accept bitcoins: 17fsUywHxeMHKG41UFfu34F1rAxZcrVoqH

pgimeno
Member
Posts: 17
Joined: Fri May 03, 2019 12:10
IRC: PGimeno
In-game: pgmine

Re: Quiz: Spot 3 security vulnerabilities in this mod

by pgimeno » Post

Is this safe?

*ONLY GUARANTEED TO WORK IN SH-LIKE SHELLS*

api.lua:

Code: Select all

local ie = ...
local string = ie.string
local os = ie.os
local table = ie.table

mymod = {}

local function quote_shell_arg(s)
  s = string.gsub(s, "%z", "")  -- remove embedded NULs
  s = string.gsub(s, "'", "'\\''")  -- escape single quotes (the lazy way)
  return "'" .. string.sub(s, 1, 16000) .. "'"
end

function mymod.send_email(message)
  -- The internal echo command interprets backslash characters in some shells,
  -- like dash, for example. Use an external command instead.
  local cmd = "/bin/echo " .. quote_shell_arg("Message: " .. message)
  os.execute(cmd)
end
init.lua:

Code: Select all

local ie = minetest.request_insecure_environment()
assert(ie, "Add mymod to secure.trusted_mods")

loadfile(minetest.get_modpath("mymod") .. "/api.lua")(ie)

minetest.register_chatcommand("email", {
  func = function(name, param)
    mymod.send_email(param)
  end;
})

pgimeno
Member
Posts: 17
Joined: Fri May 03, 2019 12:10
IRC: PGimeno
In-game: pgmine

Re: Quiz: Spot 3 security vulnerabilities in this mod

by pgimeno » Post

I'll answer myself: No, it is not safe currently.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 2 guests