Block access to the `io` library

master
red-001 2017-01-28 21:43:06 +00:00 committed by Loic Blot
parent f8ad01ab7c
commit 2e3778ec0c
2 changed files with 13 additions and 34 deletions

View File

@ -197,6 +197,7 @@ assert(table.indexof({"foo", "bar"}, "foo") == 1)
assert(table.indexof({"foo", "bar"}, "baz") == -1) assert(table.indexof({"foo", "bar"}, "baz") == -1)
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
if INIT ~= "client" then
function file_exists(filename) function file_exists(filename)
local f = io.open(filename, "r") local f = io.open(filename, "r")
if f == nil then if f == nil then
@ -206,7 +207,7 @@ function file_exists(filename)
return true return true
end end
end end
end
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
function string:trim() function string:trim()
return (self:gsub("^%s*(.-)%s*$", "%1")) return (self:gsub("^%s*(.-)%s*$", "%1"))

View File

@ -123,6 +123,7 @@ void ScriptApiSecurity::initializeSecurity()
"path", "path",
"searchpath", "searchpath",
}; };
#if USE_LUAJIT
static const char *jit_whitelist[] = { static const char *jit_whitelist[] = {
"arch", "arch",
"flush", "flush",
@ -134,7 +135,7 @@ void ScriptApiSecurity::initializeSecurity()
"version", "version",
"version_num", "version_num",
}; };
#endif
m_secure = true; m_secure = true;
lua_State *L = getStack(); lua_State *L = getStack();
@ -245,13 +246,6 @@ void ScriptApiSecurity::initializeSecurityClient()
"table", "table",
"math", "math",
}; };
static const char *io_whitelist[] = {
"close",
"flush",
"read",
"type",
"write",
};
static const char *os_whitelist[] = { static const char *os_whitelist[] = {
"clock", "clock",
"date", "date",
@ -263,6 +257,7 @@ void ScriptApiSecurity::initializeSecurityClient()
"getinfo", "getinfo",
}; };
#if USE_LUAJIT
static const char *jit_whitelist[] = { static const char *jit_whitelist[] = {
"arch", "arch",
"flush", "flush",
@ -274,6 +269,7 @@ void ScriptApiSecurity::initializeSecurityClient()
"version", "version",
"version_num", "version_num",
}; };
#endif
m_secure = true; m_secure = true;
@ -294,20 +290,6 @@ void ScriptApiSecurity::initializeSecurityClient()
lua_pop(L, 1); lua_pop(L, 1);
// Copy safe IO functions
lua_getfield(L, old_globals, "io");
lua_newtable(L);
copy_safe(L, io_whitelist, sizeof(io_whitelist));
// And replace unsafe ones
SECURE_API(io, open);
SECURE_API(io, input);
SECURE_API(io, output);
SECURE_API(io, lines);
lua_setglobal(L, "io");
lua_pop(L, 1); // Pop old IO
// Copy safe OS functions // Copy safe OS functions
lua_getfield(L, old_globals, "os"); lua_getfield(L, old_globals, "os");
@ -324,10 +306,6 @@ void ScriptApiSecurity::initializeSecurityClient()
lua_setglobal(L, "debug"); lua_setglobal(L, "debug");
lua_pop(L, 1); // Pop old debug lua_pop(L, 1); // Pop old debug
// Remove all of package
lua_newtable(L);
lua_setglobal(L, "package");
#if USE_LUAJIT #if USE_LUAJIT
// Copy safe jit functions, if they exist // Copy safe jit functions, if they exist
lua_getfield(L, -1, "jit"); lua_getfield(L, -1, "jit");