diff options
author | sfan5 <sfan5@live.de> | 2020-03-05 22:03:04 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-05 22:03:04 +0100 |
commit | 8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (patch) | |
tree | 70bf61852c2f7efcb5c9620af6f60a7fb077516e /doc | |
parent | ef09e8a4d6671f5bfac7b6234fbe52c4b836c2be (diff) | |
download | minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.gz minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.bz2 minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.zip |
Fix potential security issue(s), documentation on minetest.deserialize() (#9369)
Also adds an unittest
Diffstat (limited to 'doc')
-rw-r--r-- | doc/lua_api.txt | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/doc/lua_api.txt b/doc/lua_api.txt index 10ede5168..acf2f77c1 100644 --- a/doc/lua_api.txt +++ b/doc/lua_api.txt @@ -5275,10 +5275,16 @@ Misc. * Convert a table containing tables, strings, numbers, booleans and `nil`s into string form readable by `minetest.deserialize` * Example: `serialize({foo='bar'})`, returns `'return { ["foo"] = "bar" }'` -* `minetest.deserialize(string)`: returns a table - * Convert a string returned by `minetest.deserialize` into a table +* `minetest.deserialize(string[, safe])`: returns a table + * Convert a string returned by `minetest.serialize` into a table * `string` is loaded in an empty sandbox environment. - * Will load functions, but they cannot access the global environment. + * Will load functions if safe is false or omitted. Although these functions + cannot directly access the global environment, they could bypass this + restriction with maliciously crafted Lua bytecode if mod security is + disabled. + * This function should not be used on untrusted data, regardless of the + value of `safe`. It is fine to serialize then deserialize user-provided + data, but directly providing user input to deserialize is always unsafe. * Example: `deserialize('return { ["foo"] = "bar" }')`, returns `{foo='bar'}` * Example: `deserialize('print("foo")')`, returns `nil` |