Time Nick Message 13:11 Krock will merge #9896 in 10 minutes 13:11 ShadowBot https://github.com/minetest/minetest/issues/9896 -- Potential fix for GUI scaling filter clipping animated images and 9slice backgrounds by Df458 13:21 Krock merging... 16:23 oil_boi Hello 16:24 appguru #9974 is on the table 16:24 ShadowBot https://github.com/minetest/minetest/issues/9974 -- Fix players being able to spam jump up nodes by oilboi 16:25 appguru I personally sort of agree with ANAND as a fellow CTF player :D 16:25 oil_boi I will have to look at the settings and learn how to implement this into the settings 16:39 Krock rubenwardy: any objections for the current state of #9954? 16:39 ShadowBot https://github.com/minetest/minetest/issues/9954 -- Lua API: Log incorrect parameter types as error by SmallJoker 16:40 rubenwardy haven't tested, but LGTM 16:40 Krock thanks 16:40 Krock will merge #9975 and #9954 in 10 minutes 16:40 ShadowBot https://github.com/minetest/minetest/issues/9975 -- ContentCAO: Update light all attached entities by SmallJoker 16:40 ShadowBot https://github.com/minetest/minetest/issues/9954 -- Lua API: Log incorrect parameter types as error by SmallJoker 16:45 oil_boi I see we have && itemgroup_get(f.groups, "bouncy") at line 1059, maybe I can rework the jump handling event to use that section instead to not break bouncy nodes 16:45 appguru How many weeks do I still have to open a new PR with any chances of it being merged in 5.3 ? 16:45 rubenwardy depends what it is and the size 16:46 rubenwardy anything that isn't prioritised or trivial, about -2 weeks 16:46 appguru Well, I have been planning on trying a get_objects_inside_radius speedup PR 16:46 rubenwardy I'd want that to be merged after the release, as the last attempt caused lots of bugs 16:47 appguru When can we expect 5.4? 16:47 appguru Is there a fixed release schedule? 16:47 rubenwardy it's usually twice a year 16:47 rubenwardy so 6 months 16:51 oil_boi rubenwardy, I just reverted the jump code and retested it, and trampolines are still broken, the player has to come to a halt on beds before they can bounce again, I'll try to fix this 17:01 Krock merging... 17:01 Krock (2x 10 min = 20 ofc) 17:03 rubenwardy lol 17:24 oil_boi rubenwardy, I'm trying a rebuild with the bouncy node section and the normal jump section 17:24 oil_boi Set to speedJ.Y >= -0.5f * BS && speedJ.Y <= 0.01f * BS 17:27 oil_boi bouncing glitch is still there :L 17:27 oil_boi I'm going to test the output and see what the exact m_speed.Y is 17:28 sfan5 #9961 is ready 17:28 ShadowBot https://github.com/minetest/minetest/issues/9961 -- Server pushing media at runtime by sfan5 17:33 Krock how can they be freed from the memory? 17:33 Krock rejoin? 17:34 sfan5 yes 17:44 sfan5 rubenwardy: one reason to allow disabling mod security: even with an insecure environment mods cannot use engine methods (e.g. minetest.mkdir) on "insecure" paths 17:45 rubenwardy you could bundle lfs in that case 17:45 rubenwardy meaning luafilesystem 17:45 appguru insecure environments don't contain a proper require IIRC 17:45 rubenwardy yes they do 17:45 rubenwardy ie.require 17:46 appguru and does it allow using luarocks? 17:46 rubenwardy yes 17:46 sfan5 that was just an example, imagine I said minetest_specific_function_that_somehow_accesses_the_fs instead 17:46 rubenwardy I think there should be a warning, but keeping the ability to use it for people who want to experiment without worrying about security isn't totally bad 17:46 appguru Some people can just trust their setups 17:47 appguru Mod security is pretty pointless anyways, as there's not a single function you can't override and therefore hijack in Lua 17:47 rubenwardy that's not what it's about 17:47 appguru If one mod is "trusted", malicious mods have pretty much already won 17:47 rubenwardy it's about protecting the system from mods, not mods from each other 17:47 appguru Yeah, but you can't protect the system from mods 17:48 appguru Not if you have trusted mods 17:48 sfan5 not really, there is no generic way to bypass security if you have another trusted mod 17:48 rubenwardy it is possible to craft a trusted mod and not leak the environment 17:48 sfan5 any security holes are ones opened up by the trusted mod itself 17:48 rubenwardy yeah 17:48 appguru "any security holes are ones opened up by the trusted mod itself" 17:48 appguru of course 17:48 rubenwardy which is easy to do, as shown by my examples 17:49 appguru not leaking the environment is hard if not impossible 17:49 sfan5 huh? 17:49 rubenwardy not leaking the environment is very very easy 17:49 rubenwardy not allowing malicious mods to give you fake data is harder, as you can't trust any inputs 17:49 rubenwardy or system functions 17:49 sfan5 it really depends on what exactly you do with it 17:50 rubenwardy see https://forum.minetest.net/viewtopic.php?t=24528 17:51 Krock rubenwardy: spoiler 3 should say "bad_string" in metatable 17:52 rubenwardy how come? 17:52 rubenwardy so people don't run it? 17:52 rubenwardy oh right, set metatable 18:05 appguru My point is, if all functions could be compromised, there's not much you can do to prevent some exploitation 18:08 sfan5 "some exploitation" does not necessary translate to compromise of the insecure env 18:54 Krock rubenwardy: does ContentDB have a search API? 18:55 appguru Yes 18:55 appguru https://content.minetest.net/help/api/ 18:56 Krock > Package Queries 18:56 Krock aha. 18:58 rubenwardy looks like the anchor links have broken 19:00 appguru #9828 merge or close 19:00 ShadowBot https://github.com/minetest/minetest/issues/9828 -- Revert "Replace non-ASCII characters in gameui debug display code" by appgurueu 19:09 sfan5 just close it 19:17 sfan5 pushing http://sprunge.us/mEXtLA?diff in 5 minutes 19:17 appguru fine, may the codebase rot 21:25 PGimeno hm, can debug.setmetatable be used by non-trusted mods? 21:26 sfan5 yes 21:26 PGimeno isn't that a security risk? 21:27 sfan5 perhaps, removing it would be a great hindrance 21:28 PGimeno what is it useful for in normal code? 21:30 sfan5 to implement classes 21:30 PGimeno isn't setmetatable enough for that? 21:31 sfan5 wait, is the debug one a different function? 21:31 PGimeno yes it is 21:31 PGimeno https://wiki.facepunch.com/gmod/debug.setmetatable 21:32 sfan5 oh interesting, this is not documented in the lua manual 21:32 PGimeno I know, but it works that way in both LuaJIT and PUC Lua 5.1 21:34 PGimeno https://paste.scratchbook.ch/view/e7ee3c76 21:35 sfan5 https://github.com/minetest/minetest/blob/master/src/script/cpp_api/s_security.cpp#L108-L119 21:36 sfan5 the answer is still yes 21:36 oiaohm where would feature request to add recipe books as in books you use with crafting to change the recipes on offer. Game or engine. Mostly I am sick of running into the problem of install two mods and they have over lapping recipe to make items. 21:37 PGimeno sfan5: I'd consider removing debug.setmetatable and debug.getmetatable 21:37 PGimeno or maybe aliasing them to setmetatable and getmetatable resp. 21:39 PGimeno just checked, debug.getmetatable can also read protected metatables 21:43 sfan5 can you think of a way that setmetatable would reliably compromise mod security? 21:43 sfan5 (I mean debug.setmetatable of course) 21:44 PGimeno it makes the third exploit mentioned by rubenwardy here possible: https://forum.minetest.net/viewtopic.php?t=24528 21:45 PGimeno it also allows bypassing the protection of a protected metatable, which might be a further security risk if a trusted mod relies on it 21:48 PGimeno note that even if the metatable can't be set to a different one, the existing one can be altered, i.e. you can do: getmetatable("").__index = function... 21:50 sfan5 does getmetatable work on primitive types then? 21:51 PGimeno yes it does 21:51 PGimeno I know the Mesecons LuaController has protections explicitly for that 21:51 sfan5 how do you make that secure then? 21:52 rubenwardy setmetatable is required for classes though 21:52 PGimeno rubenwardy: setmetatable != debug.setmetatable 21:53 sfan5 it has this https://github.com/minetest-mods/mesecons/blob/737f366741f54659b17bd9c96e2232eedb9735ee/mesecons_luacontroller/init.lua#L601 21:53 sfan5 but that doesn't help with securing getmetatable if untrusted code can call it 21:53 PGimeno sfan5: you can make it secure by hiding the metatable: getmetatable("").__metatable = false 21:54 sfan5 and only debug.getmetatable can bypass that? 21:54 PGimeno yes 21:54 PGimeno sfan5: the LuaController has protections against the code inside the controller modifying the string metatable 21:55 sfan5 1) how would the luac code even get the metatable? 2) where? 21:57 PGimeno 1) the LuaC would need to be trusted and use debug.getmetatable to get the real thing, 2) in the same link you gave, some lines under that: onetruestring.__index = env.string 21:59 PGimeno sorry for the confusion, the luacontroller does not allow getmetatable in the first place 21:59 sfan5 yeah I imagine that'd be hard to sandbox 21:59 sfan5 anyway it sounds like a good idea for mod security to lock down the metatables of primitive types (except would that break the luac?) 22:00 PGimeno yes, the luac would need to be trusted, and probably the same goes for any other mod that allows running insecure Lua code 22:01 PGimeno and also it would need to be modified to use ie.debug.getmetatable instead 22:04 sfan5 hm 22:41 oil_boi So that feature request I had on new_pos being part of the moveresult, I just finished it 22:48 oil_boi -ish 22:48 oil_boi still gotta divide by 10 on it 22:50 oil_boi Ooo it works very cool 23:41 oil_boi #9978 23:41 ShadowBot https://github.com/minetest/minetest/issues/9978 -- Add new_pos to moveresult output by oilboi 23:46 oil_boi I wonder if I can add in entity node friction