Fix vulnerability due to missing priv check

2018-11-19 22:49:46 +00:00 · 2018-11-19 22:49:46 +00:00 · a6741081c9
parent d5c77d7042
commit a6741081c9
2 changed files with 21 additions and 10 deletions
--- a/mods/capitalism/land/gui.lua
+++ b/mods/capitalism/land/gui.lua
@ -20,7 +20,8 @@ local function flatten_list(list, level, out)
 end

 local function build_list()
-	return flatten_list(land.get_area_tree())
+	local tree = land.get_area_tree()
+	return flatten_list(tree)
 end


@ -137,4 +138,4 @@ land.show_debug_to = lib_quickfs.register("land:debug", function(self, playernam
 				return true
 			end
 		end
-	end)
+	end, { land_admin = true })
--- a/mods/libs/lib_quickfs/init.lua
+++ b/mods/libs/lib_quickfs/init.lua
@ -1,21 +1,31 @@
 lib_quickfs = {}

-function lib_quickfs.register(name, func, cb)
+function lib_quickfs.register(name, func, cb, privs)
 	local player_contexts = {}

 	minetest.register_on_player_receive_fields(function(player, formname, fields)
-		if formname == name then
-			local playername = player:get_player_name()
-			local context = player_contexts[playername]
+		if formname ~= name then
+			return
+		end

-			if context and cb(context, player, formname, fields) then
-				local formspec = func(context, playername)
-				minetest.show_formspec(playername, name, formspec)
-			end
+		if privs and not minetest.check_player_privs(player, privs) then
+			return
+		end
+
+		local playername = player:get_player_name()
+		local context = player_contexts[playername]
+
+		if context and cb(context, player, formname, fields) then
+			local formspec = func(context, playername)
+			minetest.show_formspec(playername, name, formspec)
 		end
 	end)

 	return function(playername, ...)
+		if privs and not minetest.check_player_privs(playername, privs) then
+			return
+		end
+
 		local context =  {
 			playername = playername,
 			args = { ... },