Impact
If a mod saves user input in an ItemStack's metadata, then this can be abused by an attacker to add or modify other meta fields of the same item stack.
What this allows depends on what mods do with the meta data:
- If a mod uses meta to match keys with doors/chests, then this issue would allow attackers to craft keys to match any door/chest.
- Some mods create items from item meta, which would allow attackers to get unlimited quantities of arbitrary items.
- Denial of Service attacks.
- Before 5.2, this could be used for Remote Code Execution
Patches
b5956bd
Workarounds
It is recommended that you update to Minetest 5.4+ or cherry-pick the patch.
Alternatively, you can workaround this issue by removing control characters before setting ItemStack meta:
value = value:gsub("[\x01\x02\x03]", "")
meta:set_string("key", value)
Impact
If a mod saves user input in an ItemStack's metadata, then this can be abused by an attacker to add or modify other meta fields of the same item stack.
What this allows depends on what mods do with the meta data:
Patches
b5956bd
Workarounds
It is recommended that you update to Minetest 5.4+ or cherry-pick the patch.
Alternatively, you can workaround this issue by removing control characters before setting ItemStack meta: