Add Lua interface to HTTPFetchRequest

This allows mods to perform both asynchronous and synchronous HTTP requests. Mods are only granted access to HTTP APIs if either mod security is disabled or if they are whitelisted in any of the the secure.http_mods and secure.trusted_mods settings. Adds httpfetch_caller_alloc_secure to generate random, non-predictable caller IDs so that lua mods cannot spy on each others HTTP queries.
2025-11-02 00:05:26 +01:00 · 2016-02-18 11:38:47 +01:00
parent a3892f5a66
commit 31e0667a4a
12 changed files with 357 additions and 1 deletions
--- a/builtin/game/misc.lua
+++ b/builtin/game/misc.lua
@@ -178,3 +178,22 @@ function core.raillike_group(name)
 	end
 	return id
 end
+
+-- HTTP callback interface
+function core.http_add_fetch(httpenv)
+	httpenv.fetch = function(req, callback)
+		local handle = httpenv.fetch_async(req)
+
+		local function update_http_status()
+			local res = httpenv.fetch_async_get(handle)
+			if res.completed then
+				callback(res)
+			else
+				core.after(0, update_http_status)
+			end
+		end
+		core.after(0, update_http_status)
+	end
+
+	return httpenv
+end
--- a/builtin/settingtypes.txt
+++ b/builtin/settingtypes.txt
@@ -1100,6 +1100,10 @@ secure.enable_security (Enable mod security) bool false
 #    functions even when mod security is on (via request_insecure_environment()).
 secure.trusted_mods (Trusted mods) string

+#	Comma-seperated list of mods that are allowed to access HTTP APIs, which
+#	allow them to upload and download data to/from the internet.
+secure.http_mods (HTTP Mods) string
+
 [Client and Server]

 #    Name of the player.