Mod does not work with enabled mod security about qa_block HOT 10 CLOSED

I seen your topic in forum (https://forum.minetest.net/viewtopic.php?f=47&t=15839).
In the last change I implemented the execution by f:read + loadstring in "Run" button. Is this way affected too?

I think the issue with qa_block is the limitation

Reading/writing to anywhere in your mod directory after the init stage.

so there is the way only to request insecure environment by adding this mod to the trusted mods :-/

from qa_block.

If I am right and the limitation is after the init stage only I try to write a "restircted mode" for this that reads all files at init stage and there is no refresh list and no ad-hoc reads of new files :(

from qa_block.

Yeah, I too think that this must be a “trusted mod”. But even trusted mods must obey some rules, so either way changes are neccessary. You can test this mod by enabling mod security for yourselves.

I guess we just need to accept the fact that this mod must be trusted. The mod security feature is an important addition to Minetest and there is good reason to have it enabled. qa_block is mostly a debugging/testing mod anyway, so I guess it is not too much to ask to add this mod to “trusted”.
Since this mod is free software, anyone with doubts can just read the source code. :-)

from qa_block.

What do you think about this solution: https://github.com/bell07/minetest-qa_block/tree/restricted works? In case of no insecure environment the mod should be work as security designed, without ad-hoc functionality.

from qa_block.

Cool, a fallback mode. Nice idea. Just make sure you write it down in README or whatever that the full functionality is only achieved by adding this mod to trusted.

But I have not tested this yet. I am not sure if I get around testing this today. Maybe later, sorry. :-(

from qa_block.

I am not realy firm with documentation. Can you please write some words after testing? I tested it already an it works as expected for me. Just the "Close" button seems to be strange placed without the "Refresh" button at the left. I will add a "not trusted mode" hint to the place of refresh button and then push them to master.

from qa_block.

Today I tested with released minetest version 0.4.15. and security enabled. Found out the previous missed, but needed functionality is available now in security-enabled mode. (io.open, minetest.get_dir_list, loadstring, pcall). Therefore I removed all "restricted-mode" code from the mod in b89d20b
. Tested again, the qa_block does work without any restriction in secured environment and not in trusted-mods list.
Please let me know if you see any issues with this solution.

from qa_block.

Well, it turns out Minetest developers disabled mod security for the 0.4.15 release because they didn't really trust it to be working, so I don't really bother testing now. :P

from qa_block.

I was surprised the security is not enabled by default. But with security enabled there is no issue with qa_block functionality for me. Can you pls. confirm this after a short test (and after the other issue is solved)? So I can close the issue in this case

from qa_block.

Tested with MT 0.4.16 and security enabled. No issue appears. Please reopen the issue if you get a new crash

from qa_block.