| Time |
Nick |
Message |
| 00:43 |
|
reductum joined #minetest-dev |
| 00:51 |
|
reductum joined #minetest-dev |
| 01:56 |
|
Miner_48er joined #minetest-dev |
| 02:21 |
|
clavii joined #minetest-dev |
| 02:39 |
|
kb1000 joined #minetest-dev |
| 03:11 |
|
Qiangong2[m] joined #minetest-dev |
| 03:18 |
|
texmex joined #minetest-dev |
| 04:01 |
|
Taoki joined #minetest-dev |
| 05:09 |
|
calcul0n joined #minetest-dev |
| 05:55 |
|
reductum joined #minetest-dev |
| 06:04 |
|
ANAND joined #minetest-dev |
| 06:46 |
|
fluxflux joined #minetest-dev |
| 06:52 |
|
NetherEran joined #minetest-dev |
| 07:00 |
|
proller joined #minetest-dev |
| 08:00 |
|
ShadowNinja joined #minetest-dev |
| 08:19 |
|
erlehmann joined #minetest-dev |
| 09:28 |
|
Beton joined #minetest-dev |
| 10:01 |
|
mizux joined #minetest-dev |
| 11:00 |
|
lisac_ joined #minetest-dev |
| 11:32 |
|
Fixer joined #minetest-dev |
| 11:34 |
|
Darcidride joined #minetest-dev |
| 12:08 |
|
_Zaizen_ joined #minetest-dev |
| 13:11 |
Krock |
will merge #9896 in 10 minutes |
| 13:11 |
ShadowBot |
https://github.com/minetest/minetest/issues/9896 -- Potential fix for GUI scaling filter clipping animated images and 9slice backgrounds by Df458 |
| 13:19 |
|
gorbachev_pizza_ joined #minetest-dev |
| 13:19 |
|
gorbachev_pizza joined #minetest-dev |
| 13:21 |
Krock |
merging... |
| 15:51 |
|
appguru joined #minetest-dev |
| 16:23 |
|
oil_boi joined #minetest-dev |
| 16:23 |
oil_boi |
Hello |
| 16:24 |
appguru |
#9974 is on the table |
| 16:24 |
ShadowBot |
https://github.com/minetest/minetest/issues/9974 -- Fix players being able to spam jump up nodes by oilboi |
| 16:25 |
appguru |
I personally sort of agree with ANAND as a fellow CTF player :D |
| 16:25 |
oil_boi |
I will have to look at the settings and learn how to implement this into the settings |
| 16:39 |
Krock |
rubenwardy: any objections for the current state of #9954? |
| 16:39 |
ShadowBot |
https://github.com/minetest/minetest/issues/9954 -- Lua API: Log incorrect parameter types as error by SmallJoker |
| 16:40 |
rubenwardy |
haven't tested, but LGTM |
| 16:40 |
Krock |
thanks |
| 16:40 |
Krock |
will merge #9975 and #9954 in 10 minutes |
| 16:40 |
ShadowBot |
https://github.com/minetest/minetest/issues/9975 -- ContentCAO: Update light all attached entities by SmallJoker |
| 16:40 |
ShadowBot |
https://github.com/minetest/minetest/issues/9954 -- Lua API: Log incorrect parameter types as error by SmallJoker |
| 16:45 |
oil_boi |
I see we have && itemgroup_get(f.groups, "bouncy") at line 1059, maybe I can rework the jump handling event to use that section instead to not break bouncy nodes |
| 16:45 |
appguru |
How many weeks do I still have to open a new PR with any chances of it being merged in 5.3 ? |
| 16:45 |
rubenwardy |
depends what it is and the size |
| 16:46 |
rubenwardy |
anything that isn't prioritised or trivial, about -2 weeks |
| 16:46 |
appguru |
Well, I have been planning on trying a get_objects_inside_radius speedup PR |
| 16:46 |
rubenwardy |
I'd want that to be merged after the release, as the last attempt caused lots of bugs |
| 16:47 |
appguru |
When can we expect 5.4? |
| 16:47 |
appguru |
Is there a fixed release schedule? |
| 16:47 |
rubenwardy |
it's usually twice a year |
| 16:47 |
rubenwardy |
so 6 months |
| 16:51 |
oil_boi |
rubenwardy, I just reverted the jump code and retested it, and trampolines are still broken, the player has to come to a halt on beds before they can bounce again, I'll try to fix this |
| 17:01 |
Krock |
merging... |
| 17:01 |
Krock |
(2x 10 min = 20 ofc) |
| 17:03 |
|
fluxflux joined #minetest-dev |
| 17:03 |
rubenwardy |
lol |
| 17:14 |
|
Etxedey76188 joined #minetest-dev |
| 17:17 |
|
Etxedey76188 left #minetest-dev |
| 17:24 |
oil_boi |
rubenwardy, I'm trying a rebuild with the bouncy node section and the normal jump section |
| 17:24 |
oil_boi |
Set to speedJ.Y >= -0.5f * BS && speedJ.Y <= 0.01f * BS |
| 17:27 |
|
gorbachev_pizza_ joined #minetest-dev |
| 17:27 |
|
gd___ joined #minetest-dev |
| 17:27 |
oil_boi |
bouncing glitch is still there :L |
| 17:27 |
oil_boi |
I'm going to test the output and see what the exact m_speed.Y is |
| 17:28 |
sfan5 |
#9961 is ready |
| 17:28 |
ShadowBot |
https://github.com/minetest/minetest/issues/9961 -- Server pushing media at runtime by sfan5 |
| 17:33 |
Krock |
how can they be freed from the memory? |
| 17:33 |
Krock |
rejoin? |
| 17:33 |
|
reductum joined #minetest-dev |
| 17:34 |
sfan5 |
yes |
| 17:44 |
sfan5 |
rubenwardy: one reason to allow disabling mod security: even with an insecure environment mods cannot use engine methods (e.g. minetest.mkdir) on "insecure" paths |
| 17:45 |
rubenwardy |
you could bundle lfs in that case |
| 17:45 |
rubenwardy |
meaning luafilesystem |
| 17:45 |
appguru |
insecure environments don't contain a proper require IIRC |
| 17:45 |
rubenwardy |
yes they do |
| 17:45 |
rubenwardy |
ie.require |
| 17:46 |
appguru |
and does it allow using luarocks? |
| 17:46 |
rubenwardy |
yes |
| 17:46 |
sfan5 |
that was just an example, imagine I said minetest_specific_function_that_somehow_accesses_the_fs instead |
| 17:46 |
rubenwardy |
I think there should be a warning, but keeping the ability to use it for people who want to experiment without worrying about security isn't totally bad |
| 17:46 |
appguru |
Some people can just trust their setups |
| 17:47 |
appguru |
Mod security is pretty pointless anyways, as there's not a single function you can't override and therefore hijack in Lua |
| 17:47 |
rubenwardy |
that's not what it's about |
| 17:47 |
appguru |
If one mod is "trusted", malicious mods have pretty much already won |
| 17:47 |
rubenwardy |
it's about protecting the system from mods, not mods from each other |
| 17:47 |
appguru |
Yeah, but you can't protect the system from mods |
| 17:48 |
appguru |
Not if you have trusted mods |
| 17:48 |
sfan5 |
not really, there is no generic way to bypass security if you have another trusted mod |
| 17:48 |
rubenwardy |
it is possible to craft a trusted mod and not leak the environment |
| 17:48 |
sfan5 |
any security holes are ones opened up by the trusted mod itself |
| 17:48 |
rubenwardy |
yeah |
| 17:48 |
appguru |
"any security holes are ones opened up by the trusted mod itself" |
| 17:48 |
appguru |
of course |
| 17:48 |
rubenwardy |
which is easy to do, as shown by my examples |
| 17:49 |
appguru |
not leaking the environment is hard if not impossible |
| 17:49 |
sfan5 |
huh? |
| 17:49 |
rubenwardy |
not leaking the environment is very very easy |
| 17:49 |
rubenwardy |
not allowing malicious mods to give you fake data is harder, as you can't trust any inputs |
| 17:49 |
rubenwardy |
or system functions |
| 17:49 |
sfan5 |
it really depends on what exactly you do with it |
| 17:50 |
rubenwardy |
see https://forum.minetest.net/viewtopic.php?t=24528 |
| 17:51 |
Krock |
rubenwardy: spoiler 3 should say "bad_string" in metatable |
| 17:52 |
rubenwardy |
how come? |
| 17:52 |
rubenwardy |
so people don't run it? |
| 17:52 |
rubenwardy |
oh right, set metatable |
| 17:53 |
|
erlehmann_ joined #minetest-dev |
| 18:05 |
appguru |
My point is, if all functions could be compromised, there's not much you can do to prevent some exploitation |
| 18:08 |
sfan5 |
"some exploitation" does not necessary translate to compromise of the insecure env |
| 18:54 |
Krock |
rubenwardy: does ContentDB have a search API? |
| 18:55 |
appguru |
Yes |
| 18:55 |
appguru |
https://content.minetest.net/help/api/ |
| 18:56 |
Krock |
> Package Queries |
| 18:56 |
Krock |
aha. |
| 18:58 |
rubenwardy |
looks like the anchor links have broken |
| 19:00 |
appguru |
#9828 merge or close |
| 19:00 |
ShadowBot |
https://github.com/minetest/minetest/issues/9828 -- Revert "Replace non-ASCII characters in gameui debug display code" by appgurueu |
| 19:09 |
sfan5 |
just close it |
| 19:17 |
sfan5 |
pushing http://sprunge.us/mEXtLA?diff in 5 minutes |
| 19:17 |
appguru |
fine, may the codebase rot |
| 19:18 |
|
kollaps[m] joined #minetest-dev |
| 19:26 |
|
oil_boi joined #minetest-dev |
| 19:33 |
|
kb1000 joined #minetest-dev |
| 19:33 |
|
texmex joined #minetest-dev |
| 19:33 |
|
Qiangong2[m] joined #minetest-dev |
| 21:25 |
PGimeno |
hm, can debug.setmetatable be used by non-trusted mods? |
| 21:26 |
sfan5 |
yes |
| 21:26 |
PGimeno |
isn't that a security risk? |
| 21:27 |
sfan5 |
perhaps, removing it would be a great hindrance |
| 21:28 |
PGimeno |
what is it useful for in normal code? |
| 21:30 |
sfan5 |
to implement classes |
| 21:30 |
PGimeno |
isn't setmetatable enough for that? |
| 21:31 |
sfan5 |
wait, is the debug one a different function? |
| 21:31 |
PGimeno |
yes it is |
| 21:31 |
PGimeno |
https://wiki.facepunch.com/gmod/debug.setmetatable |
| 21:32 |
sfan5 |
oh interesting, this is not documented in the lua manual |
| 21:32 |
PGimeno |
I know, but it works that way in both LuaJIT and PUC Lua 5.1 |
| 21:34 |
|
oiaohm joined #minetest-dev |
| 21:34 |
PGimeno |
https://paste.scratchbook.ch/view/e7ee3c76 |
| 21:35 |
sfan5 |
https://github.com/minetest/minetest/blob/master/src/script/cpp_api/s_security.cpp#L108-L119 |
| 21:36 |
sfan5 |
the answer is still yes |
| 21:36 |
oiaohm |
where would feature request to add recipe books as in books you use with crafting to change the recipes on offer. Game or engine. Mostly I am sick of running into the problem of install two mods and they have over lapping recipe to make items. |
| 21:37 |
PGimeno |
sfan5: I'd consider removing debug.setmetatable and debug.getmetatable |
| 21:37 |
PGimeno |
or maybe aliasing them to setmetatable and getmetatable resp. |
| 21:39 |
PGimeno |
just checked, debug.getmetatable can also read protected metatables |
| 21:43 |
sfan5 |
can you think of a way that setmetatable would reliably compromise mod security? |
| 21:43 |
sfan5 |
(I mean debug.setmetatable of course) |
| 21:44 |
PGimeno |
it makes the third exploit mentioned by rubenwardy here possible: https://forum.minetest.net/viewtopic.php?t=24528 |
| 21:45 |
PGimeno |
it also allows bypassing the protection of a protected metatable, which might be a further security risk if a trusted mod relies on it |
| 21:48 |
PGimeno |
note that even if the metatable can't be set to a different one, the existing one can be altered, i.e. you can do: getmetatable("").__index = function... |
| 21:50 |
sfan5 |
does getmetatable work on primitive types then? |
| 21:51 |
PGimeno |
yes it does |
| 21:51 |
PGimeno |
I know the Mesecons LuaController has protections explicitly for that |
| 21:51 |
sfan5 |
how do you make that secure then? |
| 21:52 |
rubenwardy |
setmetatable is required for classes though |
| 21:52 |
PGimeno |
rubenwardy: setmetatable != debug.setmetatable |
| 21:53 |
sfan5 |
it has this https://github.com/minetest-mods/mesecons/blob/737f366741f54659b17bd9c96e2232eedb9735ee/mesecons_luacontroller/init.lua#L601 |
| 21:53 |
sfan5 |
but that doesn't help with securing getmetatable if untrusted code can call it |
| 21:53 |
PGimeno |
sfan5: you can make it secure by hiding the metatable: getmetatable("").__metatable = false |
| 21:54 |
sfan5 |
and only debug.getmetatable can bypass that? |
| 21:54 |
PGimeno |
yes |
| 21:54 |
PGimeno |
sfan5: the LuaController has protections against the code inside the controller modifying the string metatable |
| 21:55 |
sfan5 |
1) how would the luac code even get the metatable? 2) where? |
| 21:57 |
PGimeno |
1) the LuaC would need to be trusted and use debug.getmetatable to get the real thing, 2) in the same link you gave, some lines under that: onetruestring.__index = env.string |
| 21:59 |
PGimeno |
sorry for the confusion, the luacontroller does not allow getmetatable in the first place |
| 21:59 |
sfan5 |
yeah I imagine that'd be hard to sandbox |
| 21:59 |
sfan5 |
anyway it sounds like a good idea for mod security to lock down the metatables of primitive types (except would that break the luac?) |
| 22:00 |
PGimeno |
yes, the luac would need to be trusted, and probably the same goes for any other mod that allows running insecure Lua code |
| 22:01 |
PGimeno |
and also it would need to be modified to use ie.debug.getmetatable instead |
| 22:04 |
|
T4im joined #minetest-dev |
| 22:04 |
sfan5 |
hm |
| 22:41 |
oil_boi |
So that feature request I had on new_pos being part of the moveresult, I just finished it |
| 22:48 |
oil_boi |
-ish |
| 22:48 |
oil_boi |
still gotta divide by 10 on it |
| 22:50 |
oil_boi |
Ooo it works very cool |
| 23:41 |
oil_boi |
#9978 |
| 23:41 |
ShadowBot |
https://github.com/minetest/minetest/issues/9978 -- Add new_pos to moveresult output by oilboi |
| 23:46 |
oil_boi |
I wonder if I can add in entity node friction |
