Update changelog and call this 0.3.3

CMakeLists.txt

@@ -10,7 +10,7 @@ project(minetest)
 # Also remember to set PROTOCOL_VERSION in clientserver.h when releasing
 set(VERSION_MAJOR 0)
 set(VERSION_MINOR 3)
-set(VERSION_PATCH 1)
+set(VERSION_PATCH 3)
 set(VERSION_STRING "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}")
 
 MESSAGE(STATUS "*** Will build version ${VERSION_STRING} ***")

doc/changelog.txt

@@ -3,6 +3,13 @@ Minetest-c55 changelog
 This should contain all the major changes.
 For minor stuff, refer to the commit log of the repository.
 
+0.3.3: (tagged on 2013-03-05)
+- Fix a password-related vulnerability (late backport from some early 0.4)
+
+0.3.2: (tagged on 2012-05-12)
+- Include unistd.h in filesys.cpp
+- Add wooden planks to creative inventory
+
 0.3.1: (released on 2011-11-09)
 - Fix frustum culling (previous versions have rendered too much stuff that is not actually visible (about 180 degrees, while should have been more like 100.))
 - Add occlusion culling (improves performance a lot)

src/base64.cpp

@@ -38,6 +38,13 @@ static inline bool is_base64(unsigned char c) {
   return (isalnum(c) || (c == '+') || (c == '/'));
 }
 
+bool base64_is_valid(std::string const& s)
+{
+	for(int i=0; i<s.size(); i++)
+		if(!is_base64(s[i])) return false;
+	return true;
+}
+
 std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) {
   std::string ret;
   int i = 0;

src/base64.h

@@ -1,4 +1,5 @@
 #include <string>
 
+bool base64_is_valid(std::string const& s);
 std::string base64_encode(unsigned char const* , unsigned int len);
 std::string base64_decode(std::string const& s);

src/content_craft.cpp

@@ -505,6 +505,7 @@ void craft_set_creative_inventory(Player *player)
 		CONTENT_CLAY,
 		CONTENT_BRICK,
 		CONTENT_TREE,
+		CONTENT_WOOD,
 		CONTENT_LEAVES,
 		CONTENT_CACTUS,
 		CONTENT_PAPYRUS,

src/filesys.cpp

@@ -171,6 +171,7 @@ bool RecursiveDelete(std::string path)
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
+#include <unistd.h>
 
 std::vector<DirListNode> GetDirListing(std::string pathstring)
 {

src/server.cpp

@@ -39,6 +39,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 #include "settings.h"
 #include "profiler.h"
 #include "log.h"
+#include "base64.h"
 
 #define PP(x) "("<<(x).X<<","<<(x).Y<<","<<(x).Z<<")"
 
@@ -1961,6 +1962,12 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
 				}
 				password[PASSWORD_SIZE-1] = 0;
 		}
+
+		if(!base64_is_valid(password)){
+			infostream<<"Server: "<<playername<<" supplied invalid password hash"<<std::endl;
+			SendAccessDenied(m_con, peer_id, L"Invalid password hash");
+			return;
+		}
 		
 		std::string checkpwd;
 		if(m_authmanager.exists(playername))
@@ -3265,6 +3272,13 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
 			newpwd += c;
 		}
 
+		if(!base64_is_valid(newpwd)){
+			infostream<<"Server: "<<player->getName()<<" supplied invalid password hash"<<std::endl;
+			// Wrong old password supplied!!
+			SendChatMessage(peer_id, L"Invalid new password hash supplied. Password NOT changed.");
+			return;
+		}
+
 		infostream<<"Server: Client requests a password change from "
 				<<"'"<<oldpwd<<"' to '"<<newpwd<<"'"<<std::endl;