HTTP API: Address security hole (thanks @rubenwardy)

2021-12-06 14:44:40 +01:00 · 2021-12-06 14:44:40 +01:00 · 382ff397a5
parent e4fdfa60bf
commit 382ff397a5
3 changed files with 10 additions and 15 deletions
--- a/init.lua
+++ b/init.lua
@ -1,14 +1,13 @@
 local modpath = core.get_modpath"i3"
+local http = core.request_http_api()
 local _loadfile = dofile(modpath .. "/src/operators.lua")

 local function lf(path)
-	return _loadfile(modpath .. path)
+	return assert(_loadfile(modpath .. path))
 end

 i3 = {
 	modules = {},
-	http = core.request_http_api(),
-
 	MAX_FAVS = 6,
 	INV_SIZE = 4*9,
 	HOTBAR_LEN = 9,
@ -80,7 +79,7 @@ i3 = {
 }

 i3.files.common()
-i3.files.api()
+i3.files.api(http)
 i3.files.compress()
 i3.files.groups()
 i3.files.callbacks()
@ -93,7 +92,7 @@ i3.data = dslz(storage:get_string"data") or {}

 local init_bags = i3.files.bags()
 local init_detached = i3.files.detached()
-local fill_caches = i3.files.caches()
+local fill_caches = i3.files.caches(http)
 local init_hud = i3.files.hud()

 local function get_lang_code(info)
@ -241,4 +240,4 @@ end
 --i3.files.tests.tabs()
 --i3.files.tests.operators()
 --i3.files.tests.compression()
--i3.files.tests.custom_recipes()
+--i3.files.tests.custom_recipes(http)
--- a/src/api.lua
+++ b/src/api.lua
@ -1,4 +1,5 @@
 local make_fs = i3.files.gui()
+local http = ...

 IMPORT("gmatch", "split")
 IMPORT("S", "err", "fmt", "reg_items")
@ -22,13 +23,7 @@ function i3.register_craft(def)
 	local width, c = 0, 0

 	if true_str(def.url) then
-		if not i3.http then
-			return err(fmt([[i3.register_craft(): Unable to reach %s.
-				No HTTP support for this mod: add it to the `secure.http_mods` or
-				`secure.trusted_mods` setting.]], def.url))
-		end
-
-		i3.http.fetch({url = def.url}, function(result)
+		http.fetch({url = def.url}, function(result)
 			if result.succeeded then
 				local t = core.parse_json(result.data)
 				if is_table(t) then
--- a/src/caches.lua
+++ b/src/caches.lua
@ -1,4 +1,5 @@
 local replacements = {fuel = {}}
+local http = ...

 IMPORT("maxn", "copy", "insert", "sort", "match", "sub")
 IMPORT("is_group", "extract_groups", "item_has_groups", "groups_to_items")
@ -269,13 +270,13 @@ local function init_recipes()
 	resolve_aliases(_select)
 	sort(i3.init_items)

-	if i3.http and true_str(i3.export_url) then
+	if http and true_str(i3.export_url) then
 		local post_data = {
 			recipes = i3.recipes_cache,
 			usages  = i3.usages_cache,
 		}

-		i3.http.fetch_async {
+		http.fetch_async {
 			url = i3.export_url,
 			post_data = core.write_json(post_data),
 		}