Protect per-player detached inventory actions

minetest · Mar 7, 2021 · fc86402 · fc86402
1 parent d9b78d6
commit fc86402
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp
@@ -626,14 +626,18 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
 
 	const bool player_has_interact = checkPriv(player->getName(), "interact");
 
-	auto check_inv_access = [player, player_has_interact] (
+	auto check_inv_access = [player, player_has_interact, this] (
 			const InventoryLocation &loc) -> bool {
 		if (loc.type == InventoryLocation::CURRENT_PLAYER)
 			return false; // Only used internally on the client, never sent
 		if (loc.type == InventoryLocation::PLAYER) {
 			// Allow access to own inventory in all cases
 			return loc.name == player->getName();
 		}
+		if (loc.type == InventoryLocation::DETACHED) {
+			if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
+				return false;
+		}
 
 		if (!player_has_interact) {
 			infostream << "Cannot modify foreign inventory: "

diff --git a/src/server/serverinventorymgr.cpp b/src/server/serverinventorymgr.cpp
@@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
 	return true;
 }
 
+bool ServerInventoryManager::checkDetachedInventoryAccess(
+		const InventoryLocation &loc, const std::string &player) const
+{
+	SANITY_CHECK(loc.type == InventoryLocation::DETACHED);
+
+	const auto &inv_it = m_detached_inventories.find(loc.name);
+	if (inv_it == m_detached_inventories.end())
+		return false;
+
+	return inv_it->second.owner.empty() || inv_it->second.owner == player;
+}
+
 void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
 		bool incremental,
 		std::function<void(const std::string &, Inventory *)> apply_cb)

diff --git a/src/server/serverinventorymgr.h b/src/server/serverinventorymgr.h
@@ -43,6 +43,7 @@ class ServerInventoryManager : public InventoryManager
 	Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
 			const std::string &player = "");
 	bool removeDetachedInventory(const std::string &name);
+	bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;
 
 	void sendDetachedInventories(const std::string &peer_name, bool incremental,
 			std::function<void(const std::string &, Inventory *)> apply_cb);