celeron55
/
buildat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

extensions/urho3d: Fix exploit revealed by extensions/sandbox_test caused by a stupid mistake

master
Perttu Ahola 2014-09-28 12:56:14 +03:00
parent 1148decb2a
commit 0e7c9fc6e4
5 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/client_api.txt
View File

@ -134,8 +134,11 @@ Unsafe interfaces of built-in extensions
urho3d
------
The default unsafe interface is the same as the safe interface. It is so to
enforce interoperability between modules and extensions.
The unsafe interface consists of the namespace tables "safe" and "unsafe". Use
the safe interface unless the unsafe one is specifically needed:
require("buildat/extension/urho3d").safe
This enforces interoperability between modules and extensions.
If you get an error like this:
'Disallowed type: "userdata"; Allowed types: ...'
@ -152,9 +155,9 @@ sandboxed version in order to make interfacing possible between all of them.
The unsafe version of the urho3d extension actually just wraps to the global
environment, except for the additions to the API documented here.
Note that due to technical reasons Urho3D's API is currently always globally
defined in the extension environment, but this will not be supported in the
future.
Note that due to technical reasons Urho3D's non-sandboxed API is currently
always globally defined in the extension environment, but this will not be
supported in the future.
Additions to regular Urho3D:

2
extensions/__menu/init.lua
View File

@ -2,7 +2,7 @@
-- http://www.apache.org/licenses/LICENSE-2.0
-- Copyright 2014 Perttu Ahola <celeron55@gmail.com>
local log = buildat.Logger("extension/__menu")
local magic = require("buildat/extension/urho3d")
local magic = require("buildat/extension/urho3d").safe
local uistack = require("buildat/extension/uistack")
local dump = buildat.dump
local M = {safe = nil}

2
extensions/sandbox_test/try_exploit.lua
View File

@ -2,7 +2,7 @@
-- http://www.apache.org/licenses/LICENSE-2.0
-- Copyright 2014 Perttu Ahola <celeron55@gmail.com>
local log = buildat.Logger("try_exploit.lua")
local magic = require("buildat/extension/urho3d")
local magic = require("buildat/extension/urho3d").safe
local uistack = require("buildat/extension/uistack")
local dump = buildat.dump
local M = {}

2
extensions/uistack/init.lua
View File

@ -3,7 +3,7 @@
-- Copyright 2014 Perttu Ahola <celeron55@gmail.com>
local log = buildat.Logger("extension/uistack")
local magic_sandbox = require("buildat/extension/magic_sandbox")
local magic = require("buildat/extension/urho3d")
local magic = require("buildat/extension/urho3d").safe
local dump = buildat.dump
local M = {safe = {}}
log:info("extension/uistack/init.lua: Loading")

6
extensions/urho3d/init.lua
View File

@ -372,10 +372,8 @@ end
-- Create the final interface
--
local M = Safe
M.safe = M
local M = {}
M.safe = Safe
M.unsafe = Unsafe
return M