Add core.request_insecure_environment()
This commit is contained in:
parent
05ab9973f9
commit
6c06330daf
@ -2290,13 +2290,20 @@ These functions return the leftover itemstack.
|
|||||||
* `minetest.forceload_block(pos)`
|
* `minetest.forceload_block(pos)`
|
||||||
* forceloads the position `pos`.
|
* forceloads the position `pos`.
|
||||||
* returns `true` if area could be forceloaded
|
* returns `true` if area could be forceloaded
|
||||||
|
* Please note that forceloaded areas are saved when the server restarts.
|
||||||
|
|
||||||
* `minetest.forceload_free_block(pos)`
|
* `minetest.forceload_free_block(pos)`
|
||||||
* stops forceloading the position `pos`
|
* stops forceloading the position `pos`
|
||||||
Please note that forceloaded areas are saved when the server restarts.
|
|
||||||
|
|
||||||
minetest.global_exists(name)
|
* `minetest.request_insecure_environment()`: returns an environment containing
|
||||||
^ Checks if a global variable has been set, without triggering a warning.
|
insecure functions if the calling mod has been listed as trusted in the
|
||||||
|
`secure.trusted_mods` setting or security is disabled, otherwise returns `nil`.
|
||||||
|
* Only works at init time.
|
||||||
|
* **DO NOT ALLOW ANY OTHER MODS TO ACCESS THE RETURNED ENVIRONMENT, STORE IT IN
|
||||||
|
A LOCAL VARIABLE!**
|
||||||
|
|
||||||
|
* `minetest.global_exists(name)`
|
||||||
|
* Checks if a global variable has been set, without triggering a warning.
|
||||||
|
|
||||||
### Global objects
|
### Global objects
|
||||||
* `minetest.env`: `EnvRef` of the server environment and world.
|
* `minetest.env`: `EnvRef` of the server environment and world.
|
||||||
|
@ -571,4 +571,7 @@
|
|||||||
|
|
||||||
# Prevent mods from doing insecure things like running shell commands.
|
# Prevent mods from doing insecure things like running shell commands.
|
||||||
#secure.enable_security = false
|
#secure.enable_security = false
|
||||||
|
# Comma-separated list of trusted mods that are allowed to access insecure
|
||||||
|
# functions even when mod security is on (via request_insecure_environment()).
|
||||||
|
#secure.trusted_mods =
|
||||||
|
|
||||||
|
@ -273,6 +273,7 @@ void set_default_settings(Settings *settings)
|
|||||||
settings->setDefault("emergequeue_limit_generate", "32");
|
settings->setDefault("emergequeue_limit_generate", "32");
|
||||||
settings->setDefault("num_emerge_threads", "1");
|
settings->setDefault("num_emerge_threads", "1");
|
||||||
settings->setDefault("secure.enable_security", "false");
|
settings->setDefault("secure.enable_security", "false");
|
||||||
|
settings->setDefault("secure.trusted_mods", "");
|
||||||
|
|
||||||
// physics stuff
|
// physics stuff
|
||||||
settings->setDefault("movement_acceleration_default", "3");
|
settings->setDefault("movement_acceleration_default", "3");
|
||||||
|
@ -32,6 +32,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
|
|||||||
#include "filesys.h"
|
#include "filesys.h"
|
||||||
#include "settings.h"
|
#include "settings.h"
|
||||||
#include "util/auth.h"
|
#include "util/auth.h"
|
||||||
|
#include <algorithm>
|
||||||
|
|
||||||
// debug(...)
|
// debug(...)
|
||||||
// Writes a line to dstream
|
// Writes a line to dstream
|
||||||
@ -316,7 +317,7 @@ int ModApiUtil::l_compress(lua_State *L)
|
|||||||
int ModApiUtil::l_decompress(lua_State *L)
|
int ModApiUtil::l_decompress(lua_State *L)
|
||||||
{
|
{
|
||||||
size_t size;
|
size_t size;
|
||||||
const char * data = luaL_checklstring(L, 1, &size);
|
const char *data = luaL_checklstring(L, 1, &size);
|
||||||
|
|
||||||
std::istringstream is(std::string(data, size));
|
std::istringstream is(std::string(data, size));
|
||||||
std::ostringstream os;
|
std::ostringstream os;
|
||||||
@ -339,6 +340,30 @@ int ModApiUtil::l_mkdir(lua_State *L)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int ModApiUtil::l_request_insecure_environment(lua_State *L)
|
||||||
|
{
|
||||||
|
NO_MAP_LOCK_REQUIRED;
|
||||||
|
if (!ScriptApiSecurity::isSecure(L)) {
|
||||||
|
lua_getglobal(L, "_G");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
lua_getfield(L, LUA_REGISTRYINDEX, SCRIPT_MOD_NAME_FIELD);
|
||||||
|
if (!lua_isstring(L, -1)) {
|
||||||
|
lua_pushnil(L);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
const char *mod_name = lua_tostring(L, -1);
|
||||||
|
std::string trusted_mods = g_settings->get("secure.trusted_mods");
|
||||||
|
std::vector<std::string> mod_list = str_split(trusted_mods, ',');
|
||||||
|
if (std::find(mod_list.begin(), mod_list.end(), mod_name) == mod_list.end()) {
|
||||||
|
lua_pushnil(L);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
lua_getfield(L, LUA_REGISTRYINDEX, "globals_backup");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void ModApiUtil::Initialize(lua_State *L, int top)
|
void ModApiUtil::Initialize(lua_State *L, int top)
|
||||||
{
|
{
|
||||||
API_FCT(debug);
|
API_FCT(debug);
|
||||||
@ -366,6 +391,8 @@ void ModApiUtil::Initialize(lua_State *L, int top)
|
|||||||
API_FCT(decompress);
|
API_FCT(decompress);
|
||||||
|
|
||||||
API_FCT(mkdir);
|
API_FCT(mkdir);
|
||||||
|
|
||||||
|
API_FCT(request_insecure_environment);
|
||||||
}
|
}
|
||||||
|
|
||||||
void ModApiUtil::InitializeAsync(AsyncEngine& engine)
|
void ModApiUtil::InitializeAsync(AsyncEngine& engine)
|
||||||
|
@ -90,6 +90,9 @@ private:
|
|||||||
// mkdir(path)
|
// mkdir(path)
|
||||||
static int l_mkdir(lua_State *L);
|
static int l_mkdir(lua_State *L);
|
||||||
|
|
||||||
|
// request_insecure_environment()
|
||||||
|
static int l_request_insecure_environment(lua_State *L);
|
||||||
|
|
||||||
public:
|
public:
|
||||||
static void Initialize(lua_State *L, int top);
|
static void Initialize(lua_State *L, int top);
|
||||||
|
|
||||||
@ -98,3 +101,4 @@ public:
|
|||||||
};
|
};
|
||||||
|
|
||||||
#endif /* L_UTIL_H_ */
|
#endif /* L_UTIL_H_ */
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user