Time  Nick        Message
00:03 IhrFussel   So... if init.lua uses 'dofile' is it GUARANTEED that the callback in the above file gets registered first? I think so
00:04 IhrFussel   Basically UI has 2 files with that callback... and since the profiler mentions a '[2]' I think it means the 2nd callback is meant so the bottom dofile
00:08 IhrFussel   Which would point me to this -> https://github.com/minetest-mods/unified_inventory/blob/master/register.lua#L564
00:08 IhrFussel   But how can this code cause a lag of SIX or more seconds?
00:16 IhrFussel   btw am I dumb or does UI seriously use an EMPTY form name for its fields? That is rather weird
12:59 IhrFussel   Can someone explain to me why UI needs to listen to ALL player receive field callbacks just to find out whether a field contains 'craftguide_craft' or 'craftguide_giveme' ? That seems extremely inefficient and MIGHT cause lags of several seconds on my server at times
13:01 Krock       how many thousands of callbacks did you register?
13:01 IhrFussel   This seems to be the problematic callback -> https://pastebin.com/NujDmAR4
13:02 Krock       that can be guarded with a formname == "" check
13:02 Krock       since it's most likely happening in the player inventory
13:03 IhrFussel   So a simple 'if formname ~= "" then return end' ?
13:03 Krock       try it
13:04 Krock       chances for side-effects are low
13:08 IhrFussel   Hi Megaf
13:11 Megaf       Hi Fussel
13:11 Megaf       Hi everyone
13:14 IhrFussel   I hope the lag is not caused by CSM somehow or bad mobile clients
13:15 IhrFussel   Must be some sort of mod that sends lots of fields at once when the lag happens I'm guessing...but even that is unlikely
13:36 Sokomine    looking for a texture again. the way the placed nodebox-drawn node looks is good enough (would need to be rotated for the tool version)...but...how do i get that texture?
13:37 Sokomine    need a wield image for the tool
13:46 IhrFussel   Krock, https://github.com/minetest-mods/unified_inventory/blob/master/register.lua#L406 << this function has no PRIV CHECK?!
13:46 Krock       REAL FREE ESTATE
13:46 IhrFussel   Doesn't that mean that...in theory... players can send custom fields???
13:46 Krock       dude thank you so much
13:47 Krock       yes they can
13:47 Krock       testing rn
13:47 sfan5       hahaha the classic just trusting user input
13:52 IhrFussel   Sorry I should've probably used [off] for that bug (in case it turns out to be exploitable)
13:58 Krock       my cheat client is bugged got to fix that first
13:58 Krock       but that can clearly be abused
13:59 Krock       > name = readParam<std::string>(L, 1);
13:59 Krock       > data = readParam<std::string>(L, 1);
13:59 Krock       guess why it does not work >.<
13:59 IhrFussel   Well on my server it's fixed now by adding 'if not minetest.get_player_privs(player_name).somepriv then return end'
14:01 IhrFussel   Krock, so it takes more than just CSM? Or did you just show an unrelated problem?
14:02 Krock       needs a client modification
14:02 Krock       plus CSM to have a handy GUI
14:02 Krock       testing the fix..
14:02 IhrFussel   Well that makes it not that high of a priority I guess but should still get fixed
14:04 IhrFussel   Krock, can you explain why this cannot be exploited via CSM but other inventory formspecs can?
14:04 Krock       IhrFussel: CSM cannot send fields to the server yb default
14:05 IhrFussel   Oh so it always required a c++ modification?
14:05 IhrFussel   I guess it's an easy change though...maybe 1 or 2 lines ... kinda like disabling priv check for fly and fast
14:12 IhrFussel   I will also log attempts by players who try to request items without having the necessary privs... good way to find cheaters
14:13 Krock       pushing fix in 5'
14:13 Krock       IhrFussel: only for formspec fields. lists can be modified from everywhere
14:14 IhrFussel   Meaning what exactly?
14:14 Krock       that stacks can be moved from any formspec
14:14 Krock       it's sent to the server
14:15 Krock       but pressing CSM formspec buttons will not trigger any server action
14:21 Krock       pushing
14:21 Krock       https://github.com/minetest-mods/unified_inventory/commit/850ee9cbc
14:22 Krock       ^ IhrFussel: Also added console logs in case somebody wants to abuse it
14:25 IhrFussel   Nice =) also isn't this kinda inconsistent? 	if (not output) or (output == "") then return end
14:25 IhrFussel   I mean the ()
14:26 IhrFussel   AFAIK the () are not necessary in lua and they are missing pretty much everywhere else
14:32 IhrFussel   Megaf, are you using unified_inventory?
14:32 Megaf       Yep
14:32 Megaf       why?
14:32 IhrFussel   Update it now
14:32 Megaf       My server hasnt been updated in a while tho
14:33 IhrFussel   I found an exploit... players can send custom fields to the mod and give themselves any item pretty much cause a priv check is missing ... it requires some c++ lines changes and a CSM (optional)
14:34 IhrFussel   And Krock just pushed a fix to the minetest-mods repo
14:35 Megaf       hum
14:35 Megaf       perhaps I should update the stuff
14:35 Megaf       !up mt.megaf.info 30003
14:35 MinetestBot mt.megaf.info:30003 is up (13ms)
14:35 Megaf       !server Megaf
14:35 MinetestBot Megaf: Megaf Server v4 | mt.megaf.info:30003 | Clients: 0/20, 0/1 | Version: 0.4.17.1 / minetest | Ping: 16ms
14:36 IhrFussel   The buttons are not visible but the internal formspec fields listen to any player (before the fix)
14:54 IhrFussel   Krock, I hope there is no way to fake the player name when sending fields... but I'm guessing the worst case would be that the actual player who has the priv (if online) receives the item
14:55 Krock       no, the player name cannot be faked
14:55 IhrFussel   How does the server code make sure the player name is not faked?
15:03 Krock       how does the server code make sure there's a player who didn't login?
15:04 Krock       the player name is entirely server-sided; it's only sent once on login
15:21 IhrFussel   But how does the server make sure that only client x is allowed to identify as player name/ID y?
15:22 Krock       they compare the password?
15:23 IhrFussel   I mean is there some kind of protected session between server and client that makes faking impossible?
15:25 Krock       well, you'd have to perform a MITM attack to steal somebody else's connection
15:28 IhrFussel   How does the client know something got sent to it and not someone else? I guess unique ID client and server agreed on
15:30 rubenwardy  if you know the IP and the sequence number, you could session hijack yes
15:30 Krock       IhrFussel: that's already very low-level and there's barely anything to do against it
15:31 Krock       there's always a way. question is how much time you've got to do it
15:31 IhrFussel   rubenwardy, sequence number is what? An ID?
15:32 IhrFussel   Cause there can be unlimited connections from the same IP I'm guessing there needs to be some kind of ID both server and client know
15:33 sfan5       the peer id
15:33 IhrFussel   So client sends playername to server, server checks, if correct server inits all required player data and and stores/tells peer ID...right?
17:56 tenplus1    Hi folks
17:56 tenplus1    hey Krock
17:57 Krock       hi tenplus1
17:57 tenplus1    what's new with you ?
17:57 Krock       hey ho I updated the ascii mapper
17:57 tenplus1    ooh nice :)
17:57 tenplus1    I just found out corals.mts isnt in 5.0dev
17:58 Krock       pushed a security commit to u_i and created a new PR with "stolen" code from somebody else
17:58 tenplus1    naughty naughty
17:58 Krock       updated gist with sample image in L3: https://gist.github.com/SmallJoker/03c92442c4b81a6d2e7573c7950a10cc
17:59 Krock       much easier to read this way
17:59 Krock       sakura and glacier tend to be very large
18:00 tenplus1    nice, this looks way better dude
18:00 Krock       ^.^
18:00 tenplus1    I so gotta rework the biomes in Ethereal to spread out better
18:02 tenplus1    this will defintely help :) thanks dude
18:03 Krock       well, existing worlds will break
18:03 Krock       each change is going to make it worse for newly generated areas
18:03 tenplus1    depends if the original biome will blend into the newly changed one
18:04 tenplus1    it only seems to break or have huge square gaps if the heightmap is different
18:09 tenplus1    and from what i've seen of paramat's mapgen changes, biomes blend into one another now :)
18:17 * CWz       peeks in
18:18 tenplus1    o/ CWz
18:23 * tenplus1  wonders what else has been removed from 5.0 dev
18:29 rdococ      Hi
18:29 tenplus1    hi rdococ
18:30 rdococ      I might try to add coroutines to luacontrollers again
18:30 tenplus1    hows the mod shaping up ?
18:36 tenplus1    btw, I like the idea of farming-mutation :)
18:39 tenplus1    reminds me of a yogscast video where you breed 2 crops side by side to make a mutated crop beside it, to increase growing speed and crop harvest size
18:40 kaeza       Greetings.
18:40 tenplus1    hi kaeza o/
18:41 kaeza       Hi tenplus1. How's it going?
18:41 Krock       o/ kaeza
18:41 tenplus1    good thx, just updated Ethereal NG (added sakura biome and coral fix)
18:41 kaeza       o/ Krock
18:42 tenplus1    wb entuland
18:44 entuland    hello there, freaking connection as usual, tenplus1
18:45 tenplus1    o//
18:47 tenplus1    entuland: have you tried other Os' to see if it helps the connection ?
18:51 entuland    oh no it wouldn't make any difference - I simply have a ISP that rents the line from the national company, and the national company crams multiple customers into the same channel or something like that
18:51 entuland    so the only option would be changing ISP
18:51 tenplus1    damn, sorry to hear dude
18:56 tenplus1    hi calcul0n
18:57 calcul0n    o/
18:57 tenplus1    :P
19:09 rdococ      TIC-80 is probably the longest time I've been interested in something completely new to me for a while
19:10 tenplus1    that looks kinda cute :D
19:11 Krock       bye!
19:11 tenplus1    o/
19:32 tenplus1    you made any games in TIC-80 yet rdococ?
19:37 rdococ      not quite but I made a 3D demo
19:37 tenplus1    :) kewl...  I wonder how many tiny indie games were made on that
19:41 rdococ      https://i.imgur.com/stQHzvS.png
19:42 tenplus1    reminds me of Klax somehow
19:42 rdococ      that's at 30 fps... I've seen someone else manage to get things running at 60 fps with a more detailed world but meh
19:43 tenplus1    lol, tweaking becomes a new hobby to many :D
19:44 rdococ      I use quaternions
19:44 tenplus1    no idea what that is :P lol
19:45 rdococ      hehe
19:45 tenplus1    ahh, ddg said it's to do with math :Plol
19:47 tenplus1    hi gary :)
19:48 garywhite   hello ten
19:48 tenplus1    o//
19:56 tenplus1    wb tommy
20:00 tenplus1    nite folks o/
20:58 Fixer       architecture of minecraft in 2009 looks like minetest in 2011
20:58 Fixer       http://s10.directupload.net/images/user/090618/rzlbhcwy.jpg
21:11 rdococ      architecture of minecraft in 2019 with several mods installed relating to technology and energy installed and patched into the software looks like minetest in 2019
21:28 kaeza       There wasn't glass back then I assume.
21:34 rdococ      Hmm, digilines with luacontrollers is effectively a dataflow programming language
21:34 rdococ      yes, I like spontaneously changing the topic of discussion for no reason
21:39 Fixer       damn, playing classicube right now
21:40 Fixer       feels good man
21:48 Fixer       eh, 4chan, 10 years ago
23:09 rdococ      the concept of 4chan seems cool but the community is hostile
23:51 Fixer       old minecraft maps from 2009-2010 had some 4chan references
23:58 Fixer       amazing how bad was video recording 10 years ago