Time Nick Message 00:19 v-rob #11980 - just to make sure 00:19 ShadowBot https://github.com/minetest/minetest/issues/11980 -- Bump formspec version by v-rob 00:20 kilbith_ thanks buddy 04:31 Baytuch Good morning 07:08 sfan5 v-rob: dunno if the takeaway is to bump formspec version *every* release, but I bet this release has had new features (right?) so a bump is justified anyway 07:09 v-rob That's what I didn't remember, whether we were bumping every release or not. The issue didn't really say as far as I could see. 07:09 v-rob I know we are for protocol at least 07:09 sfan5 yeah 07:09 v-rob I actually don't think we have any new elements this release, but lemme check 07:13 v-rob NVM, we added padding[] 07:13 v-rob So bump then 07:14 v-rob I'd better document that in lua_api.txt under the new version 5 07:17 v-rob Neat, formspec versions are currently synced with minor release number. Version 4 was for 5.4, version 5 will be for 5.5 07:19 v-rob PR updated 16:14 kilbith one should backport this PR into upstream as MoNTE48 is telling his developers not to do this: https://github.com/MultiCraft/MultiCraft2/pull/25 17:51 sfan5 asking again: does anyone agree that #11922 can be in 5.5 despite being a feature? 17:51 ShadowBot https://github.com/minetest/minetest/issues/11922 -- Allow resetting celestial vault elements by leaving its arguments empty by Zughy 17:55 erlehmann sfan5 to be useful, it would at least need #11930 too 17:55 ShadowBot https://github.com/minetest/minetest/issues/11930 -- set_sun/set_moon: setting textures to something and then to their default name again creates dummy broken images 17:56 sfan5 from what zughy said that looked like an edge case not likely to happen 17:58 sfan5 anyway the defaults are clearly wrong, there is no such sun.png texture 18:01 erlehmann by the way i looked into the stuff i uncovered using the TGA test nodes. it seems the grayscale tga pictures get a yellow tint indeed because irrlicht assumes at this point anything 16 bit is A1R5G5B5 and thus having a grayscale image with an alpha channel *somewhat* works. but obviously not correctly at all 18:04 erlehmann somewhat unrelated, A1R5G5B5 images have no functioning alpha channel right now, because they get converted to 24bpp RGB colors internally and not 32bpp RGBA colors 18:05 erlehmann and also there might be endianness bugs in getPixel() ? i have to verify that some time later 18:08 erlehmann does anyone here have access to a big endian machine? 20:26 erlehmann once i can execute lua code in a minetest server (mod) context, what would be the best way to get outside of it? 20:26 erlehmann like to escape the sandbox, so to say 20:26 erlehmann (i am thinking about this from the perspective of an minetest client attacker, not a mod author) 20:27 MTDiscord Do you mean like in a "having help on the outside" sense, like to connect to some external helper thing? 20:27 rubenwardy if there are any trusted_mods, then you can try to see if it leaks the environment 20:28 MTDiscord Personally I have built a few things using LuaSockets to allow the mod to listen on a unix-domain socket in the worldpath, and then I can connect external helpers that way. Haven't found a portable way to do it with mod security enabled though. 20:28 MTDiscord Erlehmann: mostly because it packages a lot of stuff we don't care about like test scripts, readmes, and yet another jsonhpp. Ideally we wouldn't require all that bloat. Plus the format is not truly dead, so we may want to support our own extensions someday far in the future. 20:28 MTDiscord A lot of people have given me "well duh, that's easy, you just X" solutions that work in about 80% of cases. 20:29 erlehmann exe_virus sorry, context? 20:29 MTDiscord Yesterday, the tinygltf thing 20:30 MTDiscord if i recall correctly you can escape the sandbox be serializing code and then exicuting it 20:30 erlehmann ah 20:30 MTDiscord The serialization thing has been closed 20:30 erlehmann Jonathon, yeah that works for normal lua, but does it works for a minetest mod? 20:30 erlehmann uh when was it closed? 20:30 MTDiscord While back, I'd have to git blame 20:30 MTDiscord Probably 2020 20:30 rubenwardy the question is about a server mod context 20:30 rubenwardy not about a mod's sandbox 20:31 rubenwardy so deserialize won't make a difference 20:31 erlehmann exe_virus oh do you mean the client-sent server mods thing in 5.3 that was removed from 5.4? 20:31 erlehmann or something else 20:31 MTDiscord Gotcha, thanks ruben 20:31 rubenwardy erlehmann: if you passed deserialize into a sandbox like mesecons luacontroller, they could use it to escape to the mod environment 20:31 MTDiscord File system hacks is how I would do it 20:32 MTDiscord Like: before the world generates, make a map.sqlite that is designed to break out of the context due to a bug in SQLite or similar 20:33 erlehmann rubenwardy, i see. now … they can only hang the server, right? 20:34 erlehmann by creating a lot of strings 20:34 rubenwardy with that, you can do anything you can do in a mod environment. Change passwords, ban users, access chat, etc 20:34 rubenwardy oh right, *now* 20:34 erlehmann yeah, i know that it was insecure before 20:34 rubenwardy yeah, now it should be fine - just might freeze the server 20:35 erlehmann i remember that your-land.de required you to build like 3 non-trivial mesecons machines before you could get access to that 20:35 erlehmann because of the potential for lag machines 20:36 erlehmann my best lag machine was something i used to destroy a bunch of duped sponges i stole from fleckenstein hehe 20:36 erlehmann it dropped all the sponges into lava, but that meant they existed as items in flight for a while, i.e. entities 20:36 sfan5 offtopic stories -> #minetest 20:36 erlehmann ok 20:36 erlehmann back to mod security 20:37 erlehmann i already know that you can cheat inside the game once you have gained the mod level (i.e. outside of sandbox) 20:37 erlehmann right? 20:37 sfan5 which sandbox are you talking about? the engine has only one sandbox that protects the OS from mods 20:37 erlehmann but a mod can only write into its own directory. how is that mediated and may there be holes? 20:38 rubenwardy erlehmann: not after load time 20:38 erlehmann sfan5 the one that does not let you play serialize games 20:38 rubenwardy sfan5: setfenv in mesecons luacontrollers 20:38 rubenwardy erlehmann: mods don't get any special privileges after load time, they can only get handles to write/etc whilst loading in their own init.lua files 20:38 erlehmann rubenwardy wait, at *load* time a mod can write somewhere else? or what can it do? 20:39 rubenwardy no, at load time a mod can write to its own directory. After load time, a mod cannot write to its own directory (unless it has an open handle) 20:39 erlehmann uh, well the maps mod in mcl2 and mcl5 does write tga files there though. i assume it has a handle … to the directory? 20:40 erlehmann is a handle an inode or sth? 20:40 erlehmann i guess all security escalation techniques ultimately come down to finding an existing gadget, like the domain socket that wsor1024 mentioned 20:40 erlehmann and subverting it 20:40 erlehmann thank you all! 20:42 MTDiscord It can also always write to the world folder 20:42 erlehmann can anyone who understands C++ much better than i do figure out if this is indeed an endianness bug? because if it is, minetest has it inherited: https://sourceforge.net/p/irrlicht/bugs/431/ 20:43 MTDiscord Endianess bugs are typically hardware specific 20:44 MTDiscord Either way, I wanted a core devs opinion on the gltf thing. Should I just bring the single MIT header into the PR or should I submodule about 10 files? 20:44 MTDiscord It would introduce two competing jsonhpp does into our codebase if I submodule 20:44 MTDiscord Deps* 20:44 sfan5 "jsonhpp"? 20:46 erlehmann exe_virus competing in what way? 20:53 v-rob sfan5: I'm fine with #11922 going into 5.5, it does have two approvals after all, so we might as well 20:53 ShadowBot https://github.com/minetest/minetest/issues/11922 -- Allow resetting celestial vault elements by leaving its arguments empty by Zughy 20:54 [0] We already depend on jsoncpp, I'd prefer to not have two JSON libraries. 20:54 sfan5 agreed 20:54 sfan5 v-rob: okay thanks, guess I'll merge that then when it's ready 20:54 sfan5 (waiting on this https://github.com/minetest/minetest/issues/11930#issuecomment-1018744481) 20:55 v-rob OK 20:55 Pexin erlehmann: isn't that sourceforge example explicitly re-ordering the bytes into something that's not big OR little endian? 20:56 MTDiscord Kk, that's what I figured. I'll make sure it uses our jsoncpp 20:56 MTDiscord Thanks for the input 20:59 welfarejazz through the lua api is there a way to change the player's step height? 20:59 v-rob It would be sane if SColor stored its bytes in the native platform's endianness. It's in-memory after all. I don't know if Irrlicht is sane, however. 21:00 sfan5 welfarejazz: yes, part of object properties (set_properties) 21:00 welfarejazz thank you 21:05 Pexin erlehmann: as I read it, that bug report refers to 2 potential problems. endianness (which may or may not be a problem if interpreted unchanged as u32?) and the unrelated swap of R and B 21:06 v-rob erlehmann: Looking at the source for SColor, it does use platform-native endianness. As long as libpng (and other image loading libraries) flip endianness properly, there should be no issue. 21:06 v-rob I would assume that they do 21:06 v-rob It would be somewhat ludicrous if a library as established as libpng didn't work on big-endian systems :) 21:07 MTDiscord Is minetest C++11, or C++14? 21:07 v-rob 11 21:08 erlehmann Pexin middle-endian, they call it lol 21:08 v-rob Minetest does not need to work on a PDP-11, please and thank you 21:09 erlehmann Pexin, well ABGR is a real thing 21:13 Pexin don't quote me, but I suspect that "solution" actually _creates_ an endianness problem.. you should definitely get an expert opinion though 21:15 Pexin oh wait nevermind that's a constructor 21:17 Pexin this is what happens when you offer advice while distracted 21:19 Pexin the fact remains the point of that report was BR swap 22:51 sfan5 #11976 review plz 22:51 ShadowBot https://github.com/minetest/minetest/issues/11976 -- [NO SQUASH] Database-related changes by sfan5 22:51 sfan5 and I have no idea what to do with #11831, there's way too much code for what should be a simple fix 22:51 ShadowBot https://github.com/minetest/minetest/issues/11831 -- Don't go out of the map during raycast by savilli 23:04 erlehmann sfan5 does it depend on the android version if the workaround is needed or is simply havivng new enough sqlite for android enough? 23:05 sfan5 it'll be the latter 23:07 MTDiscord I will try to add 11976 to the main server and report back whether it helped. Is there anything else I can do to further it in any direction? 23:08 sfan5 nah that's all :)