Time Nick Message
04:40 cornernote_ Just did a google search for grandfather clock, forgot the L... Noooo!
05:09 Brackston LOL So it came back with hits for Old roosters?
07:40 * wilkgr wonders whether to or not
07:41 wilkgr Perhaps not
10:15 JDCodeIt @Gundul - somebody mean attacked your Jungle server today
10:23 JDCodeIt @Gundul - it seems a normal user was able to join and locate all the players and place ignited TNT at their position
11:13 JDCodeIt Gundul: While someong was blowingme up with TNT I did get kicked with a message about "There is a F****G bug in world edit - fix it" or something of that nature. Hope that helps you find the culprit
11:16 wilkgr JDCodeIt, I'm pretty sure Gundul isn't online. :/
11:16 red-002 someone didn't patch
11:16 JDCodeIt Yes, but he could read the log later I hope. Is this a known bug?
11:17 wilkgr aye
11:17 red-002 aye aye captin
11:17 red-002 there is a fix for it already
11:19 JDCodeIt red-002: is it in the server code or worldedit mod?
11:20 red-002 mod
11:20 red-002 plus looking at whats happening it looks like someone didn't enable mod security
11:20 Calinou the MinetestForFun Skyblock server got cracked as well, someone reported an issue
11:21 red-002 this might well be the worst security exploit in minetest history
11:22 JDCodeIt Hospitals, trains, and Minetest all in the same 24 hours?
11:28 JDCodeIt red-002: Uberi on Github shows last update a day ago with "Remove useless privilege checks" - was this fix just in the last couple of days?
11:28 Krock fixed in https://github.com/Uberi/Minetest-WorldEdit/commit/0ce45a5
11:32 JDCodeIt Krock: so arbitrary LUA could be run via the worldedit GUI?
11:32 Krock here's LUA: https://github.com/mniip/LUA
11:32 Krock no. but if you mean Lua, then yse.
11:32 Krock since the keywords differ
11:36 JDCodeIt Krock: Is anyone in the MT community trying to contact server owners? Seems this will be exploited further.
11:40 sfan5 don't think anyone is attempting that right now
11:40 Krock 27% of the announced servers most likely have the security leak
11:41 Krock meanwhile 51% have worldedit
11:48 Out`Of`Control does it effect if WE GUI is off?
11:49 Krock no
11:51 Out`Of`Control good
11:53 Out`Of`Control how many servers got hacked?
11:53 Out`Of`Control beside 2
11:53 Fixer hmmmmm, so it is real
11:54 Fixer i remember some said he had access to creative via worldedit gui or smth... this is real
11:54 Out`Of`Control :O
11:55 ThomasMonroe ? how is that possible
11:55 Fixer probably via "Run Lua" ?
11:55 DS-minetest the only secure bug i know about worldedit gui is that the lua feature could be used without server
11:56 DS-minetest but you would need we priv
11:56 Out`Of`Control + name = "Run Lua", privs = minetest.chatcommands["/clearobjects"].privs,
11:57 Out`Of`Control good i disable GUI part from day 1
11:58 Fixer someone should announce it on forum
11:58 red-002 I wonder what other common mods have exploits
11:58 red-002 I agree with Fixer
11:58 Fixer to update worldedit immidiately
11:59 Fixer but without giving details about how exploit works
11:59 shivajiva ^^
11:59 red-002 Responsible disclosure much?
11:59 red-002 someone make a post on the news subforum
12:01 JDCodeIt the dope had written lua to list all players then place lit TNT at their position. But I guess it could be worse.
12:02 Fixer executed it via "run lua"?
12:02 JDCodeIt don't know. I was the recipient of being blown up.
12:03 red-002 I wonder what other mods have this exploit
12:03 red-002 xban had it till the end of last year
12:15 Krock List of mods used on servers: https://pastebin.com/raw/nkFXpin7
12:18 Fixer Krock: can you make a list of affected servers? need to check where i need to change my password
12:23 Out`Of`Control worldedit_gui 26% (17)
12:24 red-002 fun
12:24 Krock Fixer, https://pastebin.com/raw/4NXGQ4Ej
12:25 Krock where fresh started = uptime < 1 day
12:25 Fixer reason?
12:25 Krock but I can't say more precisely which servers can be affected
12:26 Krock all that aren't marked as (fresh started) are definitely attackable
12:26 davisonio mine was also affected - fixed now though and mod security enabled
12:26 Fixer davisonio: craigs server?
12:26 davisonio yes
12:27 davisonio It's down at the mo though (back in a couple hours)
12:29 DuCake I just was told my server was affected by a hack though I'm travelling so not much info.... all I can say is mod security was enabled at the time but was still affected.... deactivated WorldEdit, I'm hoping that would be sufficient to mitigate for now...?
12:30 davisonio if it's the world edit_gui hack you're talking about yes It's sufficient
12:30 davisonio get the latest version for the fix
12:31 DuCake k cheers
12:33 sfan5 mod security does not help here
12:33 Krock sure it does. prevents from accessing system relevant data
12:34 Krock unless the command does around that
12:35 red-002 mod security stops someone from controlling your whole system when this sort of exploit happens
12:37 red-002 I'm hearing reports of people wiping logs which I assume is a side effect of people not enabling mod security
12:39 JDCodeIt destruction in progress at MM-Survival - tnt blasts can be heard. Admin is not available.
12:40 Krock hmm.. how about //worldedit_gui_lua minetest.settings:set("secure.enable_security", "true") ?
12:40 Krock s/true/false/
12:42 Krock nvm, blocked by engine
12:42 red-002 JDCodeIt, this might sound a bit black hat
12:42 red-002 but why not shutdown the server?
12:43 Fixer what exactly fixed that exploit?
12:43 Fixer "Do not allow any worldedit_gui commands without privs" this
12:43 red-002 is it moral to disable a system to stop it from being abused?
12:44 Krock Fixer, yes
12:44 JDCodeIt not my servers... I just try to notify the admins where possible.
12:44 Fixer Krock: when vulnerability was introduced? few days ago?
12:45 Krock dec 2013
12:45 Out`Of`Control old bug
12:45 Fixer kek
12:45 Krock alost a few days ago
12:45 Krock *almost
12:45 JDCodeIt The "fix" was yesterday, but it must have been in there a long time - the fix was probably the alert that the hackers caught on to
12:46 red-002 well the whole shuting down the server to stop it being expoited moral question is kinda pointless
12:46 Fixer Krock: give me full list of servers with worldedit_gui (not just fresh guys), pm me, do not expose it
12:46 red-002 the law is pretty clear about this
12:46 Krock Fixer, these are all
12:46 Fixer no way
12:46 Fixer very few?
12:46 Out`Of`Control 17
12:47 Krock notice that not all are marked with (fresh started)
12:47 Out`Of`Control 1/3
12:47 Fixer how about shutdowning exposed servers now?
12:47 Krock what if they have restart scripts?
12:50 red-002 Krock, some of them will not
12:54 red-002 JDCodeIt, any sign of the admin?
12:55 fwhcat our server has been hacked the same way this night (Mynetest) and another french one too (Axinite)
12:56 Fixer oh
12:56 Fixer i was gonna join it to warn admins
12:56 JDCodeIt fwhcat: was it a map destruction with tnt, or other type of takeover?
12:57 red-002 JDCodeIt, does the adim check backups?
12:57 red-002 if not then maybe the server should be shutdown
12:58 red-002 is anyone with the privs to shutdown the server online?
12:58 JDCodeIt red-002 - I don't know the admin personally. He mentioned that his map was 19 GB, so not sure how often that is backed up
12:58 celeron55 i'm pretty sure there are non-secured settings that allow disabling a server
12:58 Fixer is not you can shutdown via lua?
12:59 celeron55 like... setting an invalid bind_address
12:59 red-002 or runing shutdown?
13:00 celeron55 i mean, in case there's a restart script
13:01 red-002 kick every one on join even
13:02 Krock max_users = 0
13:02 red-002 ^
13:02 Fixer and change MOTD
13:02 red-002 well no
13:02 red-002 people with server privs can bypass that krock
13:02 Fixer to update your worldedit now
13:02 red-002 which I assume the attackers have by now
13:04 MinetestBot �02[git]� �04sfan5� -> �03minetest/master-server�: �Re-add banlist features� �13705ea6e� https://git.io/v976e (�152017-05-14T13:03:05Z�)
13:06 red-002 neat
13:06 Krock hmm.. "`inetest.chat_send_all("test")` or assert do not have any effect
13:06 Krock *`minetest.
13:06 red-002 ??
13:07 red-002 oh you are working on exploiting the bug?
13:07 red-002 I was starting to work on that
13:07 Out`Of`Control you could run /clearobjectest would freez server for some hours
13:07 CWz i wonder how many victims has this bug claim
13:07 red-002 lol
13:07 Out`Of`Control noone could join anymore
13:07 Fixer i changed my passwords on some servers
13:08 red-002 Krock, should I contuine to work on it or are you going to do it?
13:08 Out`Of`Control Fixer: hacker can see password?
13:08 red-002 they could get a hash of it
13:08 Fixer Out`Of`Control: if security disabled, can read auth.txt i think
13:08 Out`Of`Control Fixer: uhm ok
13:08 Krock red-002, I'm trying to exploit it on servers, yes. but so far no success
13:08 red-002 safer to change it but it should be hard to crack that
13:09 red-002 ok then I will try and work on it my self
13:10 Krock Fixer, well.. local t = minetest.get_player_privs("you") t.server = true minetest.set_player_privs("you, t)
13:12 * red-002 is working on this
13:13 fwhcat JDCodeIt, sorry for being late, the hacker did change some scripts, as our server restarts automatically they were loaded, and people were kicked automatically when joined, our debug.txt has been deleted, we haven't found any map destruction for now.
13:14 red-002 I assume you had mod security disabled?
13:15 fwhcat I think it is not sure (let me check)
13:15 fwhcat disabled
13:15 Fixer kek
13:16 red-002 ^
13:16 red-002 I mean thats a horrible idea
13:16 Fixer bad, he may changed some files
13:16 Fixer please audit your minetest files, scripts and OS itself for changes
13:16 fwhcat I told that already to the admin
13:18 JDCodeIt if these people are that good, they might even use "touch" to cover the time the file was modified. You need to check it all or recover from backup.
13:18 red-002 they could have gotten shell access or something nasty like that
13:19 fwhcat well, no our server runs through a unprivileged user, but I asked him as well to check on binaries like openssh etc. (we never know...)
13:29 JDCodeIt fwhcat: if you use ipban, and ipban.txt file was not deleted, you may be able to compare this to the last backup and see what new IP's came in today.
13:31 MinetestBot �02[git]� �04sfan5� -> �03minetest/master-server�: �Allow banning by server hostname� �13828a1fd� https://git.io/v97i9 (�152017-05-14T13:29:46Z�)
13:33 red-002 are there any other servers that are being exploited?
13:36 celeron55 they could have already exploited every server and disabled the original exploit in all of them (and added their own)
13:36 celeron55 in theory
13:36 celeron55 i would guess they're not that good though
13:37 Fixer MM-survival has some explosions
13:39 red-002 alright I have recreated the exploit
13:46 Pixalou i
13:46 Pixalou hi
14:18 JDCodeIt Pixalou and Gundul: did you read back through today's IRC log?
14:20 Gundul no, not yet, Just logged in here a couple of minutes ago.
14:23 Gundul no I did. thanks
14:24 grey-001 Gundul, are you the admin of the server in question?
14:27 Pixalou JDCodeIt : sorry i was afk. Not read irc log today.
14:28 Gundul Yes I am running jungle server. Was me the first who was hit ?
14:29 grey-001 you want to shutdown your server if you haven't already
14:30 Gundul Thanks. I did that already at 12:15 pm :) running backups now and try to repair
14:30 CWz Gundul, VanessaE was effected first
14:30 CWz i think
14:30 VanessaE no I wasn't.
14:30 VanessaE a couple other guys had exploits before me
14:30 Gundul My server was hit between 11 and 12 UTC+1
14:31 VanessaE shut it down, remove worldedit_gui or update it, reboot the server.
14:31 CWz who where they
14:31 fwhcat today or yesterday Gundul?
14:31 VanessaE well and clean up whatever the blackhat fucked up.
14:31 Gundul today. fwhcat
14:32 fwhcat well our server was attacked at 0.30 am UTC+2
14:32 Gundul I am running a backup from 2 days ago. Saved the image file from this morning only for inspection
14:32 CWz fortunetly mine weren't attacked
14:32 VanessaE fwhcat, Gundul just remove worldedit_gui or update it to current HEAD, clean up any fucked up privs, boot the server, and clean up any griefing
14:33 CWz but i disabled new registrations until i hear a confirmed headshot
14:33 VanessaE and make sure no one has privs who shouldn't
14:33 fwhcat we did VanessaE but thanks.
14:33 rubenwardy how many servers are still running old worldedit_gui?
14:33 VanessaE rubenwardy: most.
14:33 Gundul already done, Thanks VanessaE
14:33 JDCodeIt fhwcat indicates the hackers modified scripts in the file system - one should check them carefully
14:33 VanessaE because the patch is only a day old.
14:33 CWz I think 70%
14:34 VanessaE JDCodeIt: that's possible only if mod security is disabled.
14:34 tm3 venessaE ?? only clearing worldedit_gui works or total worldedit atleast as a temporary soln. And wha are those privs no one should have??
14:34 VanessaE tm3: just worldedit_gui
14:34 VanessaE privs = everything
14:35 VanessaE on my server, the attacker granted himself ALL. as in `/grantme all`
14:35 tm3 oh you mean privs priv?
14:35 VanessaE so I literally mean, everything
14:35 tm3 oh i got it :) thanks :)
14:35 DS-minetest btw how could worldedit priv be gotten?
14:35 CWz glad i quit selfhosting
14:36 tm3 oh no one have privs in our server though not even i even i am a supervisor ;P admin has it though.
14:36 Gundul you got their ip VanessaE ? my logfiles habe been deleted.
14:36 Gundul *have
14:36 VanessaE now, on my server it should be impossible for a blackhat to compromise my mod files because you can't write to a mod's directory since I have mod security enabled, and all critical files are stored on my home PC and synced to the server when I need to update something
14:36 VanessaE [05-13 01:42] <VanessaE> ["REAPERMAN"] = true,
14:36 VanessaE [05-13 01:42] <VanessaE> ["::ffff:87.184.19.200"] = true,
14:36 VanessaE [05-13 01:42] <VanessaE> ...
14:36 VanessaE [05-13 01:42] <VanessaE> ["::ffff:93.205.60.210"] = true,
14:36 VanessaE [05-13 01:42] <VanessaE> ["REAPER"] = true,
14:37 * VanessaE waits for ShadowBot to kick :P
14:37 tm3 oh
14:37 Fixer VanessaE: you have we_gui ?
14:37 VanessaE Fixer: I used to. that's how the attacker got in. I removed it.
14:37 * CWz activates his trap card to prevent ShadowBot from kicking
14:37 tm3 is it the ip of that hacker? i guess it's just a stupid noob trying to hide is ass behind a hacked client he downloaded. No f88king blackhat has time for this s88t
14:38 Fixer VanessaE: when you removed it btw? I already changede my password on your servers
14:38 VanessaE Fixer: I removed it after the second attack (I didn't know worldedit_gui was the cause, the first time), so a day after.
14:38 JDCodeIt Bonn, Germany
14:39 CWz i wonder if deezl's server were effected
14:41 Gundul tm3 what you said was the name of the guy in jungle ?
14:42 tm3 which one?
14:42 tm3 i mean when??
14:43 Gundul this morning, you told me a few minutes ago
14:43 tm3 oh you had argument with? i asked about him? Oh he is a noob in coding bro. let alone hacking
14:43 tm3 few mins. ago??
14:43 JDCodeIt there was that argument with ektod
14:43 Gundul ok, maybe I misunderstood you
14:43 tm3 Aule is a noob you banned he is total noob
14:44 tm3 i know
14:44 Gundul ektod was from venezuela
14:44 JDCodeIt he didn't want to replant trees
14:46 IhrFussel Regarding the WE exploit: My last version was from over a year ago, so my server was most likely never affected by it? (I updated a few hours ago though to be safe)
14:47 JDCodeIt IP belongs to Deutsche Telekom Ag, D-90492 Nuernberg, Germany
14:47 Fixer lol
14:47 Fixer IhrFussel: it is affected
14:48 Fixer IhrFussel: _update now_
14:48 Fixer IhrFussel: also check if it was not compromised (silently)
14:48 IhrFussel Fixer, so the exploit existed for a YEAR and more?
14:48 Fixer IhrFussel: possibly since ages
14:48 grey-001 since 2013 iirc
14:49 IhrFussel I already updated and restarted 20 minutes ago...but how would I check if my system was modified?
14:50 JDCodeIt did you have mod security disabled?
14:50 IhrFussel I had to disable it, too many mods complained about it
14:51 JDCodeIt then you must go through your scripts and OS files to see if any were changed
14:51 Fixer probably since 12 Dec 2013
14:52 Fixer IhrFussel: check your mod folders, check logs, etc
14:52 Fixer IhrFussel: check new privilages
14:52 IhrFussel Nothing can touch the system files..I'm not stupid I run minetestserver not under root
14:52 tm3 rubywarden :P i didn't know ;)
14:53 JDCodeIt OK, check what could have been changed under the non-privielged user
14:53 tm3 linus??
14:53 fwhcat torvalds ?
14:53 paly2 Hey :)
14:53 tm3 no linushsao. admin of mars server :0
14:53 tm3 :)
14:54 tm3 i am a supervisor there ;)
14:54 fwhcat Oh I remember you sorry :)
14:54 tm3 hey hi :) you didn't come. Don't remember your home is there or not :P may be it's there ;)
14:55 linushsao hi,i'm here
14:55 fwhcat I haven't been here for 3 months but i'm back
14:55 Fixer critical vulnerability in worldedit_gui
14:55 tm3 lol ;P
14:55 Fixer please update now, and check if your server was compromised
14:55 tm3 linus read msg i sent in irc :)
14:55 tm3 in our channel
14:55 Fixer check any file/playerpriv changes etc
14:56 linushsao torvalds..no, my "linus" is about the comic "the peanut".
14:56 tm3 every player's privs?? uh
14:56 fwhcat Fixer: the problem is: the hacker did even delete the logs (at least on our server) he wasn't stupid enough to give himself privs.
14:57 Fixer tm3: not every, but with nonstandard privs
14:57 Fixer fwhcat: thats better, better inspect everything, and recheck everything includins OS
14:58 linushsao delete system log?
14:58 tm3 ok thanks :) i am a nonstandard one ;P i have to check mine and another mod. :)
14:58 Fixer "thats better = thats worse" *
14:58 linushsao throught sshd-server? or that server has ssd service?
14:58 tm3 yes linus jungle's log were deleted
14:59 tm3 Gundul wasn't able to find the log even. :'(
14:59 linushsao it means hacker hack into server,not only minetestserver.
14:59 tm3 spawn, meselab in jungle completely destroyed ;P
14:59 Fixer better recheck everything, make sure there are no backdoors on server
14:59 Fixer if mod security was off, even worse
15:00 linushsao it's almost the standard process of hacker to delete log, even log-backup couldnt help .
15:00 tm3 may be but i don't think so a hacker has time for hacking a foss game like this. I guess it's just a dumbass trying to save his ass behind a powerful hacked client made by a hacker :)
15:00 fwhcat no no debug.txt log only, some mods were changed etc.
15:00 fwhcat if he could change syslogs that would mean he had root access xD
15:00 paly2 Indeed mod security was disabled on our server. I guess that's how the hacker made debug.txt a symlink to /dev/null. Now we've adapted our mods and enabled it (too late, as usual...)
15:00 tm3 just give me the ip of that MF, i will teach him what real hacking is xD
15:00 fwhcat so yeah in that case, you better reinstall the whole system.
15:00 Fixer if you run from root - yes
15:01 Fixer running anything from root is very bad idea
15:01 linushsao yes,fwhcat.
15:01 paly2 We don't :)
15:01 rubenwardy > running Minetest as null
15:01 rubenwardy *root
15:01 rubenwardy :O
15:01 fwhcat who would do that? xD
15:01 tm3 :P
15:01 grey-001 people
15:01 Krock windows users.
15:02 grey-001 said by a windows user
15:02 tm3 yes :) s88t happens. we learn like that :)
15:02 Fixer proper windows user runs from nonroot
15:02 Krock on top of that: said by a windows user that runs all software in administrator mode
15:02 tm3 lol :P
15:02 Krock try to beat that
15:03 Krock good luck :P
15:03 linushsao no running on root,of course.
15:04 Krock <.< I meant like "try running the stuff more insecure than me"
15:05 fwhcat I can, just for fun Run an old XP and surf the web
15:05 fwhcat but.... in a VM :D
15:07 tm3 :D
15:09 linushsao mars server on debian...
15:09 linushsao if on windows,maybe run on root...@@a
15:10 linushsao (i remember it's account "administrator".
15:10 rubenwardy anyone have any experience in auditing a server to check if it's been compromised? If so, please post here (links to good resources are fine: https://forum.minetest.net/viewtopic.php?f=6&t=17601&p=269578#p269578
15:14 Krock rubenwardy, as you most likely already have seen: https://pastebin.com/raw/4NXGQ4Ej - list of the currently announced servers using worledit_gui
15:15 Krock filtering those better would require to join the server and run a test
15:15 rubenwardy I don't think it's best to publish that
15:15 Krock surely it isn't.
15:16 Krock that would only help black hat people to cause more damage
15:18 IhrFussel Here is a useful command to check which files have been last modified on a Linux system (recursively) find [ENTERPATH] -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | head -n 500 | less
15:20 rubenwardy fancy posting that in the topic?
15:20 rubenwardy along with a disclaimer that the signatures can be modified
15:21 tm3 as per ip provided by venessa, that dumbass's ip from weiden and bonn, germany both ip are registered in deutsche telekom broadband.
15:21 * VanessaE growls at tm3
15:21 tm3 ?? sorry if i did something :)
15:21 VanessaE why does everyone insist on misspelling my fscking name...
15:21 tm3 oh ...
15:22 tm3 VanessaE :)
15:22 tm3 now :)
15:22 VanessaE :)
15:22 Fixer lol
15:22 Fixer venessa
15:23 tm3 lol there goes fixer :P
15:24 tm3 red was at red-001 first. now at 005. soon he will reach 007 :)
15:24 DS-minetest lol
15:24 red-005 lol
15:25 Krock tm3, assuming a linear increase would mean he'll pass 007 and goes over to 009
15:25 DS-minetest your name will be red, james red
15:27 IhrFussel rubenwardy, done
15:27 tm3 lol :P yes james red 009... tatatataannn...taon taon ...
15:27 rubenwardy thanks
15:37 IhrFussel I think one GOOD thing is that the exploiters likely don't know the actual WORLD names and therefore cannot delete world files
15:38 IhrFussel Or can they just use "*" ? Not sure
15:39 DS-minetest i think, they can get the world path
15:39 paly2 They can list the world directory content
15:39 rubenwardy if the lua code can return input, they could just do "io.popen('ls')"
15:41 IhrFussel Wait...the GUI allows you to input Lua and RETURNS output as well? I thought the output would just be something like "successful" or "failed"
15:41 paly2 You can use minetest.chat_send_player
15:43 IhrFussel True...well it seems like they avoided my server...log files exist, no new high privs in auth.txt ... the last modified files on my machine are the ones I edited manually
15:45 paly2 Does someone have new privs in auth.txt ? 0.o
15:45 IhrFussel But since the exploit existed for YEARS likely, there is absolutely no reliable way to tell whether or not somebody changed something in that timeframe I guess
15:47 rubenwardy it's quite interesting
15:47 Krock but the leak was undiscovered for years. now that there's so much hurry about the recent >>fix<<, only caused all this trouble
15:49 rubenwardy well, most exploited vulnerabilities are not 0 days, but recently patched things
15:49 rubenwardy attackers watch update channels
15:49 rubenwardy although in this case it was a 0 day
15:50 rubenwardy [citation needed]
15:54 IhrFussel I just found "find -cmin -N" it lists all files that were last modified within the recent N minutes..very useful
15:54 jubalh hi
15:54 jubalh does minetest have enemies yet?
15:54 jubalh or just neutral figures?
15:55 rubenwardy well, there's terasology
15:55 rubenwardy but that's more of a competitor than an enemy
16:00 Krock minecraft, our worse enemy!
16:00 Krock *worst
16:00 Krock </wink>
16:28 Raven262 Minecraft is not your enemy, it never showed to have anything against minetest.
16:55 DS-minetest does it make sense to get the camera in csm like this: local camera
16:55 DS-minetest minetest.register_on_connect(function()
16:55 DS-minetest minetest.after(0, function()
16:55 DS-minetest camera = minetest.camera
16:55 DS-minetest end)
16:55 DS-minetest end)
16:55 DS-minetest ?
16:55 paly2 Same for minetest.localplayer :/
16:56 DS-minetest not exactly same
16:56 DS-minetest localplayer doesn't need that extra after
16:56 red-005 why the after?
16:56 Krock the camera is not guaranteed to be initialized when the scripts are run
16:57 DS-minetest camera seems like if it's not there when player starts beeing there
16:57 DS-minetest hm, i could also very often use the reference
17:00 mega-giga How many server are hack ? ??
17:02 VanessaE mega-giga: anyone whose server has a copy of worldedit_gui that's more than a day or two old is vulnerable.
17:02 VanessaE how many were compromised is not known as yet, but I know two of mine were, and a few others.
17:03 mega-giga Mynet est
17:03 mega-giga Mynetest*
17:03 mega-giga Acidité
17:03 mega-giga Axinite*
17:04 paly2 (french autocorrect?)
17:04 mega-giga T'es
17:04 mega-giga Yes*
17:04 mega-giga Mdrr
17:05 Fixer kek
17:31 IhrFussel Are we 100% that mesecons doesn't have such an exploit? AFAIK there are elements that allow Lua code as well
17:32 IhrFussel 100% sure*
17:32 nore IhrFussel: yes, but in a protected environment
17:32 paly2 AFAIK the LuaController executes code in a highly restricted environment
17:32 nore and I tried more than once to attack it
17:33 nore personally I consider it sage
17:33 nore *safe
17:33 paly2 MoreMesecons has a LuaBlock that allows to execute code in the global namespace, but it cannot even be placed without the server privilege
17:33 kaeza the issue has nothing to do with running Lua code. it was not setting the correct privs
17:34 kaeza or so I see anyway
17:35 IhrFussel kaeza, it didn't check for ANY privs if I see that correctly
17:37 IhrFussel And mesecons doesn't require any (high) privs either right? So I wondered if the exploit could exist there too
17:38 IhrFussel But if it's safe then good
18:37 Out`Of`Control hi
19:08 Yst Does anyone know how to generate a formspec that matches unified_inventory? Specifically, I need to set the player's formspec to something that isn't one of the registered unified_inventory pages, but I want to keep the feel the same and provide the buttons for reaching actual unified_inventory pages.
19:09 Yst I guess it'd be the unified_inventory equivalent of sfinv.make_formspec(). Would someone know what function that'd be?
19:49 IhrFussel "local name=inv:get_stack("give" .. n,1):get_name()" will this return a string like "default:sand" ?
19:51 IhrFussel I'm trying to disallow certain nodes in the smartshop mod, but the code looks EXTREMELY complicated and I need to know if that's the var I need to check
19:51 rubenwardy yes
19:51 rubenwardy not sure what it returns if the stack is empty though
19:52 IhrFussel rubenwardy, I think the code already makes sure it's not nil..those are the lines before it: local inv = meta:get_inventory() if meta ~= nil then
19:54 calculon you could still have empty stacks in a non-nil inventory
19:54 rubenwardy ^
19:55 calculon and why meta ~= nil ? is this a typo ?
19:57 IhrFussel I'll give you a pastebin in a sec
20:02 IhrFussel https://pastebin.com/ieb2wLgF
20:05 calculon so i think yes, you should take care of empty stacks
20:05 calculon iirc get_name() returns an empty string in that case, but i'm not sure
20:06 kaeza >string.find(name,"ingot")
20:06 IhrFussel Oops I just noticed I forgot to add the player name in chat_send_player xP
20:07 kaeza great, now I can't buy a bingo table or something
20:08 rubenwardy IhrFussel, it's pointless to check a table after you call a function in it
20:08 IhrFussel kaeza, well I could add an underscore at the beginning and hope that the mods name their ingots properly "[material]_ingot"
20:08 rubenwardy it: meta ~= nil
20:10 IhrFussel rubenwardy, so I can remove that part of the condition?
20:10 rubenwardy yeah
20:11 rubenwardy or check before then
20:11 rubenwardy it's pointless as the server would have already crashed
20:12 calculon and i guess get_meta always return a value anyway
20:12 calculon ho, maybe not if not if the node is not loaded
20:14 IhrFussel calculon, the mod crashed a few times already with "meta nil"
20:15 rubenwardy you need to check before you use it
20:15 calculon ok
20:26 Hijiri static typing would have prevented the exploit
20:26 Hijiri we should have all used haskell for minetest
20:26 rubenwardy not really
20:26 rubenwardy you could have still done the exploit with a statically typed language
20:27 rubenwardy as long as you had the ability to run code from user input
20:27 Hijiri there was a check, "not admin == name" aka "(not admin) == name" to see if the lua runner was the admin
20:27 Hijiri that would have been a type error since admin is not a bool
20:28 Hijiri unless you are using C or something
20:28 rubenwardy ah, I see
20:28 Hijiri It wouldn't prevent all exploits of this class though, true
20:29 Hijiri except maybe by being hard enough to interpret at runtime that nobody bothered to make a mod that runs user lua
20:29 Hijiri or user haskell
20:30 kaeza that's why I have the habit of always using parentheses when using the `not` operator ;)
20:30 rubenwardy Haskell is an awful choice for game modding though
20:32 Hijiri probably also true
20:37 Hijiri rubenwardy: actually my mistake, the check was "not admin ~= name" to return early
21:07 Calinou heh
21:07 Calinou https://forum.minetest.net/viewtopic.php?f=53&t=17046
21:07 Calinou someone made an X-Ray cheat with CSM
21:07 Calinou that was a while ago, but I'm just starting to browse the CSM section now
21:09 PureTryOut[m] ooh no 😞 I guess that's the downside of having CSM
21:10 KaadmY Calinou: TIL the item_image formspec element can handle an item count
21:10 KaadmY I've been doing it manually
21:10 KaadmY So the item cound thing is fixed
21:10 KaadmY count*
21:10 KaadmY Groups are still wonky, I can fix easily though
21:10 Calinou tons of cheats can be made with CSM, yeah
21:14 PureTryOut[m] there needs to be a way to protect servers from those...
21:14 rubenwardy the fix is to not allow get_node if there's no air nearby
21:15 rubenwardy ie: neighbour
21:15 rubenwardy and to check LOS or less than 20
21:15 rubenwardy the problem is that these restrictions make an ambience mod a lot less efficient
21:17 PureTryOut[m] couldn't an Ambiance mod be made entirely server-side? I thought mods could play sounds per player
21:18 Calinou hmm, trying out CSM, pretty nice
21:18 Calinou I need to make some mods again :)
21:18 Calinou eg. a wallclock on HUD
21:18 Calinou PureTryOut[m]: they can but it causes lag
21:19 Calinou also, aesthetic things like these are better left to the client
21:19 Calinou so the user can easily disable it, etc
21:20 PureTryOut[m] I guess
21:20 PureTryOut[m] still, I don't like X-ray mods lol
21:20 Hijiri what if you use a hybrid approach
21:21 Hijiri like when requested, the server will calculate the ambience stuff for some area, and send taht to the client
21:21 Hijiri and it will cache that, and so will the client
21:21 Hijiri or maybe only the client caches it
21:21 Hijiri I guess that doesn't work for swimming in water and that kind of thing though
21:22 Hijiri But maybe some effects could be purely client modding, while others are a hybrid like I described
21:22 rubenwardy it's funny how people have been wanting CSM for years, but now it's been introduced everyone's against it
21:22 Hijiri I'm sort of against client-provided client mods
21:22 rubenwardy well, same
21:22 PureTryOut[m] I'd love a way for mods to send certain commands/functions to the client to do
21:22 Hijiri The kind of CSM I've wanted is code sent from the server
21:22 PureTryOut[m] same ^
21:23 PureTryOut[m] never asked for CSM like it is now
21:23 PureTryOut[m] I just want my mod to be able to listen to keypresses 😞
21:23 Hijiri listening to keypresses would be against what the direction of game controls has been though
21:23 Hijiri because of Android stuff
21:24 rubenwardy registering events though
21:24 rubenwardy but that could be done with a server API
21:24 Hijiri I think the spells idea nerzhul has been mentioning would provide extra controls
21:25 Hijiri anyway I have to go
21:26 PureTryOut[m] Hijiri: tbh I don't give a damn about Android
21:26 PureTryOut[m] I don't want to be limited on PC because of mobile support...
21:27 PureTryOut[m] and even then, you can probably let the mods make some extra button for touchscreens or whatever
21:41 Yst I never wanted client-side scripting either. Now that it's here though, I'll probably check it out. After I finish a server-side mod I've been wanting for a couple months though.
22:24 KaadmY When can we get a fog distance multiplier?
22:25 KaadmY So rain becomes foggier
23:18 Fixer KaadmY: is not this already possible?
23:18 KaadmY I dont think so
23:18 KaadmY The API has no mention of fog
23:19 KaadmY And to clarify: I mean as a mod, not client setting
23:19 Fixer rubenwardy: but but you can locate nyan cat now with ore detect!!111 Oh ... nyan was removed... and dog too...
23:19 KaadmY Was Nyan removed? :/
23:19 Fixer KaadmY: i have some impression that some weather mods already do this, i may be wrong
23:19 Fixer KaadmY: yep
23:19 KaadmY Awww
23:20 Fixer KaadmY: because of trademark issues
23:20 Fixer iirc
23:20 KaadmY Darn
23:20 Fixer KaadmY: you can still use it as a mod
23:20 KaadmY Why not have a cyan cat
23:20 Fixer LOL
23:20 KaadmY Just a cyan cat :D
23:20 KaadmY Also I'm looking at the 0.4.16 API
23:20 KaadmY It looks like there's TONS of changes from 0.4.15
23:20 KaadmY And I really want to get my hands on them :D
23:21 Fixer KaadmY: release is pretty soon btw
23:21 KaadmY Yeah
23:21 KaadmY June or something?
23:21 KaadmY Feature freeze is May 21
23:21 KaadmY So mid-June/early July?
23:21 Fixer don't remember, but soon
23:22 Fixer afk
23:25 frostsnow Why is there no 50% probability rule in the L-system?
23:31 wilkgr 2017-05-15 09:30:43: ERROR[Main]: Access denied. Reason: You are using an unofficial client. Use the official client from minetest.org
23:31 KaadmY Hm?
23:31 rubenwardy which server?
23:32 wilkgr Captain's Corner (it's a minetesthosting one)
23:32 KaadmY How does the server tell if its an unofficial client?
23:32 rubenwardy sfan5 ^
23:32 rubenwardy it's not an unofficial client
23:32 rubenwardy oldcoder is trying to take over the project
23:33 rubenwardy so he's put that notice in his version to try and get people to use his
23:33 rubenwardy notice .org
23:33 KaadmY Oh
23:33 rubenwardy which is OldCoder's domain
23:33 wilkgr Indeed, that's why I was so confused
23:33 red-005 does anyother server need to be added to the ban list?
23:34 KaadmY minetest.org seems to be down anyway
23:34 rubenwardy not for me
23:34 KaadmY Huh, DNS problem
23:34 red-005 I think I had that issue too
23:35 rubenwardy would be good to make a bot which auto-bans servers from the server list that display that message