Closed micheal65536 closed 6 years ago
stujones11
commented
6 years ago Thank you for this, it's something I've mean meaning to do since player attributes were added. I will test and merge asap. I would be interested to know more about the vulnerability, however, it's probably best you do not publicise that information, I'll just take your word for it
micheal65536
commented
6 years ago I will add an explanation for future developers in a few weeks once the popular servers have hopefully been updated. In the meantime I will send you a private message on the Minetest forum.
EDIT: Never mind I can't send a message on the Minetest forum because my account is too new.
stujones11
commented
6 years ago I just sent you a PM, maybe that will activate it :)
micheal65536
commented
6 years ago Sadly no, it doesn't. I will reply if I am ever able to, otherwise you can wait for the public explanation. With reference to your PM, I can confirm that the bags mod does not appear to be vulnerable. I will investigate other mods to determine if they are vulnerable and report or fix them as appropriate.
It has come to my attention that there is an item duplication vulnerability with regards to the way that the armor inventory is implemented through the parallel use of a detached inventory and a list in the player's inventory. This pull request fixes this vulnerability by using player attributes to persistently store the player's armor instead of a list in the player's inventory.