Validate & sanitize formspec fields (#3022)

appgurueu · web-flow · commit 833ed776204b · 2023-04-08T18:13:45.000+02:00
diff --git a/mods/creative/inventory.lua b/mods/creative/inventory.lua
@@ -192,10 +192,13 @@ function creative.register_tab(name, title, items)
 				inv.start_i = 0
 				inv.filter = ""
 				sfinv.set_player_inventory_formspec(player, context)
-			elseif fields.creative_search or
-					fields.key_enter_field == "creative_filter" then
+			elseif (fields.creative_search or
+					fields.key_enter_field == "creative_filter")
+					and fields.creative_filter then
 				inv.start_i = 0
-				inv.filter = fields.creative_filter:lower()
+				inv.filter = fields.creative_filter:sub(1, 128) -- truncate to a sane length
+						:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+						:lower() -- search is case insensitive
 				sfinv.set_player_inventory_formspec(player, context)
 			elseif not fields.quit then
 				local start_i = inv.start_i or 0
diff --git a/mods/default/craftitems.lua b/mods/default/craftitems.lua
@@ -148,7 +148,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		return
 	end
 
-	if fields.close then
+	if fields.quit then
 		book_writers[player_name] = nil
 	end
 
@@ -179,6 +179,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		data.description = S("\"@1\" by @2", short_title, data.owner)
 		data.text = fields.text:sub(1, max_text_size)
 		data.text = data.text:gsub("\r\n", "\n"):gsub("\r", "\n")
+		data.text = data.text:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
 		data.page = 1
 		data.page_max = math.ceil((#data.text:gsub("[^\n]", "") + 1) / lpp)
 
diff --git a/mods/default/nodes.lua b/mods/default/nodes.lua
@@ -2597,12 +2597,12 @@ local function register_sign(material, desc, def)
 			if not text then
 				return
 			end
-			if string.len(text) > 512 then
+			if #text > 512 then
 				minetest.chat_send_player(player_name, S("Text too long"))
 				return
 			end
-			default.log_player_action(sender, "wrote \"" .. text ..
-				"\" to the sign at", pos)
+			text = text:gsub("[%z-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+			default.log_player_action(sender, ("wrote %q to the sign at"):format(text), pos)
 			local meta = minetest.get_meta(pos)
 			meta:set_string("text", text)
 
diff --git a/mods/mtg_craftguide/init.lua b/mods/mtg_craftguide/init.lua
@@ -345,8 +345,11 @@ local function on_receive_fields(player, fields)
 		data.items = init_items
 		return true
 
-	elseif fields.key_enter_field == "filter" or fields.search then
-		local new = fields.filter:lower()
+	elseif (fields.key_enter_field == "filter" or fields.search)
+			and fields.filter then
+		local new = fields.filter:sub(1, 128) -- truncate to a sane length
+				:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+				:lower() -- search is case insensitive
 		if data.filter == new then
 			return
 		end
