From 2e3778ec0c1f77007d064d15310fa816e2a07e88 Mon Sep 17 00:00:00 2001 From: red-001 Date: Sat, 28 Jan 2017 21:43:06 +0000 Subject: [PATCH] Block access to the `io` library --- builtin/common/misc_helpers.lua | 17 +++++++++-------- src/script/cpp_api/s_security.cpp | 30 ++++-------------------------- 2 files changed, 13 insertions(+), 34 deletions(-) diff --git a/builtin/common/misc_helpers.lua b/builtin/common/misc_helpers.lua index e145a5bfc..a1417dbd4 100644 --- a/builtin/common/misc_helpers.lua +++ b/builtin/common/misc_helpers.lua @@ -197,16 +197,17 @@ assert(table.indexof({"foo", "bar"}, "foo") == 1) assert(table.indexof({"foo", "bar"}, "baz") == -1) -------------------------------------------------------------------------------- -function file_exists(filename) - local f = io.open(filename, "r") - if f == nil then - return false - else - f:close() - return true +if INIT ~= "client" then + function file_exists(filename) + local f = io.open(filename, "r") + if f == nil then + return false + else + f:close() + return true + end end end - -------------------------------------------------------------------------------- function string:trim() return (self:gsub("^%s*(.-)%s*$", "%1")) diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp index c6aad71b8..ec3a52e8e 100644 --- a/src/script/cpp_api/s_security.cpp +++ b/src/script/cpp_api/s_security.cpp @@ -123,6 +123,7 @@ void ScriptApiSecurity::initializeSecurity() "path", "searchpath", }; +#if USE_LUAJIT static const char *jit_whitelist[] = { "arch", "flush", @@ -134,7 +135,7 @@ void ScriptApiSecurity::initializeSecurity() "version", "version_num", }; - +#endif m_secure = true; lua_State *L = getStack(); @@ -245,13 +246,6 @@ void ScriptApiSecurity::initializeSecurityClient() "table", "math", }; - static const char *io_whitelist[] = { - "close", - "flush", - "read", - "type", - "write", - }; static const char *os_whitelist[] = { "clock", "date", @@ -263,6 +257,7 @@ void ScriptApiSecurity::initializeSecurityClient() "getinfo", }; +#if USE_LUAJIT static const char *jit_whitelist[] = { "arch", "flush", @@ -274,6 +269,7 @@ void ScriptApiSecurity::initializeSecurityClient() "version", "version_num", }; +#endif m_secure = true; @@ -294,20 +290,6 @@ void ScriptApiSecurity::initializeSecurityClient() lua_pop(L, 1); - // Copy safe IO functions - lua_getfield(L, old_globals, "io"); - lua_newtable(L); - copy_safe(L, io_whitelist, sizeof(io_whitelist)); - - // And replace unsafe ones - SECURE_API(io, open); - SECURE_API(io, input); - SECURE_API(io, output); - SECURE_API(io, lines); - - lua_setglobal(L, "io"); - lua_pop(L, 1); // Pop old IO - // Copy safe OS functions lua_getfield(L, old_globals, "os"); @@ -324,10 +306,6 @@ void ScriptApiSecurity::initializeSecurityClient() lua_setglobal(L, "debug"); lua_pop(L, 1); // Pop old debug - // Remove all of package - lua_newtable(L); - lua_setglobal(L, "package"); - #if USE_LUAJIT // Copy safe jit functions, if they exist lua_getfield(L, -1, "jit");