-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add minetest.settings
to CSM API and allow CSMs to provide settingtypes.txt
#12131
Conversation
minetest.settings
to CSM API (fix #10382)minetest.settings
to CSM API and allow CSMs to provide settingtypes.txt
The original issue for this was rejected: #5454 I'm hesitant to add features to CSM without any consensus on what the future of SSCSM and CSM will be, especially when the features are potentially security sensitive like exposing the entire settings object (which may contain secrets) |
#10382 is still open, just low priority #5454 was closed mostly because of no core devs interested into implementing it as far as I can see.
Its literally a 4 lines feature, and its very useful for CSMs like Does it make any sense to have keystrokes as a SSCSM instead of a CSM? No of course. Its also useful for people who need SSCSM: https://git.minetest.land/MineClone2/MineClone2/issues/1882
CSMs are user installed, so it shouldn't cause any problem. Its exactly the same risk as user that install random minetest mods to play in singleplayer. Yes, there is a risk, but its only with people who doesn't even know what they are doing. (also, you need to connect to a malicious server for a CSM to be able to drop your secrets) Exposing all settings to SSCSM would be a very bad idea, but its just fine (and useful!) for CSM. |
Also, if settings support is added and is later found to be a bad idea for whatever reason, it can just be removed, since the CSM API is unstable. |
Lack of consensus (and focus) can last for a long time, so that's not a good enough reason to turn down useful features.
That's indeed critical, and this can be treated as a whitelist/blacklist of settings that can be safely exposed or not, or only expose an object key ("safe"?), where the publicly safe settings can live, so there would no need to maintain any list. |
As I said above, CSMs are user installed. |
The CSM API and sandbox is designed for SSCSMs, which is why it's so restricted |
But why? CSM and SSCSM will never be executed in the same sandbox after all. CSMs and SSCSM have completely different usecases. |
The current plan is to execute CPCSMs and SSCSMs in the same sandbox Client-provided CSMs exist as a way to test this sandbox Now, they could be given different sandboxes. But this goes back to what I said about needing to determine the future of SSCSM |
This is not feasible. for more context see also this and following messages #10594 (comment) |
I just added the |
I just exposed |
Approved for inclusion by coredev meeting. |
Needs changes & isn't a possible close anymore |
Rebased |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does not protect against writing of secure.
settings; should be guarded by checkSettingSecurity
.
relevant code: minetest/src/script/lua_api/l_settings.cpp Lines 45 to 46 in d400a98
|
But what is exactly to change? |
print(dump(minetest.settings:get("secure.http_mods")))
print(dump(minetest.settings:set("secure.http_mods", "test"))) The problem is that any CSM could write to |
The fix is probably this but someone will have to verify it: diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@@ -417,6 +417,12 @@ void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
bool ScriptApiSecurity::isSecure(lua_State *L)
{
+#ifndef SERVER
+ auto script = ModApiBase::getScriptApiBase(L);
+ // CSM keeps no globals backup but is always secure
+ if (script->getType() == ScriptingType::Client)
+ return true;
+#endif
lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
bool secure = !lua_isnil(L, -1);
lua_pop(L, 1); |
I go tomorrow on vacation and will not able to push/test something for about two weeks. 😓 You can edit the pull request if someone test the fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works.
Add compact, short information about your PR for easier understanding:
Fix #10382
Allow CSMs to use
minetest.settings
.Allow CSMs to provide
settingtypes.txt
To do
This PR is Ready for Review.
minetest.settings
to CSM APIminetest.setting_get_pos
to CSM APIsettingtypes.txt
How to test
Use this simple script inside a CSM and check the console output:
Open the settings tab and check is there is a
Client Mods
tab.