diff options
author | est31 <MTest31@outlook.com> | 2016-12-22 23:16:00 +0100 |
---|---|---|
committer | est31 <MTest31@outlook.com> | 2016-12-22 23:16:00 +0100 |
commit | 81d56b94919dceb7b2e51d70b21a7ca22f852bd5 (patch) | |
tree | 1e9ef1be1b3295a8673d6e4f0bdeb4c2d3a6015f /src/script/cpp_api | |
parent | 8077612dcb48221281e726a60eb97bf73fde462b (diff) | |
parent | 231ac33d34dfaaddf292c5f31b1eae43eeefba2d (diff) | |
download | minetest-81d56b94919dceb7b2e51d70b21a7ca22f852bd5.tar.gz minetest-81d56b94919dceb7b2e51d70b21a7ca22f852bd5.tar.bz2 minetest-81d56b94919dceb7b2e51d70b21a7ca22f852bd5.zip |
Merge 0.4.15 changes into stable-0.4
0.4.15 release!
Diffstat (limited to 'src/script/cpp_api')
-rw-r--r-- | src/script/cpp_api/s_async.cpp | 3 | ||||
-rw-r--r-- | src/script/cpp_api/s_async.h | 2 | ||||
-rw-r--r-- | src/script/cpp_api/s_env.cpp | 4 | ||||
-rw-r--r-- | src/script/cpp_api/s_node.cpp | 1 | ||||
-rw-r--r-- | src/script/cpp_api/s_player.cpp | 6 | ||||
-rw-r--r-- | src/script/cpp_api/s_player.h | 2 | ||||
-rw-r--r-- | src/script/cpp_api/s_security.cpp | 148 | ||||
-rw-r--r-- | src/script/cpp_api/s_security.h | 21 |
8 files changed, 129 insertions, 58 deletions
diff --git a/src/script/cpp_api/s_async.cpp b/src/script/cpp_api/s_async.cpp index 9bf3fcf49..1fb84fab6 100644 --- a/src/script/cpp_api/s_async.cpp +++ b/src/script/cpp_api/s_async.cpp @@ -81,6 +81,7 @@ bool AsyncEngine::registerFunction(const char* name, lua_CFunction func) if (initDone) { return false; } + functionList[name] = func; return true; } @@ -203,7 +204,7 @@ void AsyncEngine::pushFinishedJobs(lua_State* L) { /******************************************************************************/ void AsyncEngine::prepareEnvironment(lua_State* L, int top) { - for (std::map<std::string, lua_CFunction>::iterator it = functionList.begin(); + for (UNORDERED_MAP<std::string, lua_CFunction>::iterator it = functionList.begin(); it != functionList.end(); it++) { lua_pushstring(L, it->first.c_str()); lua_pushcfunction(L, it->second); diff --git a/src/script/cpp_api/s_async.h b/src/script/cpp_api/s_async.h index 8d612d58c..016381e5f 100644 --- a/src/script/cpp_api/s_async.h +++ b/src/script/cpp_api/s_async.h @@ -132,7 +132,7 @@ private: bool initDone; // Internal store for registred functions - std::map<std::string, lua_CFunction> functionList; + UNORDERED_MAP<std::string, lua_CFunction> functionList; // Internal counter to create job IDs unsigned int jobIdCounter; diff --git a/src/script/cpp_api/s_env.cpp b/src/script/cpp_api/s_env.cpp index 82d0d4f0e..913d8539d 100644 --- a/src/script/cpp_api/s_env.cpp +++ b/src/script/cpp_api/s_env.cpp @@ -212,11 +212,13 @@ void ScriptApiEnv::on_emerge_area_completion( { Server *server = getServer(); + // This function should be executed with envlock held. + // The caller (LuaEmergeAreaCallback in src/script/lua_api/l_env.cpp) + // should have obtained the lock. // Note that the order of these locks is important! Envlock must *ALWAYS* // be acquired before attempting to acquire scriptlock, or else ServerThread // will try to acquire scriptlock after it already owns envlock, thus // deadlocking EmergeThread and ServerThread - MutexAutoLock envlock(server->m_env_mutex); SCRIPTAPI_PRECHECKHEADER diff --git a/src/script/cpp_api/s_node.cpp b/src/script/cpp_api/s_node.cpp index 17f0f0dac..379ed773f 100644 --- a/src/script/cpp_api/s_node.cpp +++ b/src/script/cpp_api/s_node.cpp @@ -58,6 +58,7 @@ struct EnumString ScriptApiNode::es_ContentParamType2[] = {CPT2_WALLMOUNTED, "wallmounted"}, {CPT2_LEVELED, "leveled"}, {CPT2_DEGROTATE, "degrotate"}, + {CPT2_MESHOPTIONS, "meshoptions"}, {0, NULL}, }; diff --git a/src/script/cpp_api/s_player.cpp b/src/script/cpp_api/s_player.cpp index 807430678..a8c07476c 100644 --- a/src/script/cpp_api/s_player.cpp +++ b/src/script/cpp_api/s_player.cpp @@ -135,7 +135,8 @@ void ScriptApiPlayer::on_joinplayer(ServerActiveObject *player) runCallbacks(1, RUN_CALLBACKS_MODE_FIRST); } -void ScriptApiPlayer::on_leaveplayer(ServerActiveObject *player) +void ScriptApiPlayer::on_leaveplayer(ServerActiveObject *player, + bool timeout) { SCRIPTAPI_PRECHECKHEADER @@ -144,7 +145,8 @@ void ScriptApiPlayer::on_leaveplayer(ServerActiveObject *player) lua_getfield(L, -1, "registered_on_leaveplayers"); // Call callbacks objectrefGetOrCreate(L, player); - runCallbacks(1, RUN_CALLBACKS_MODE_FIRST); + lua_pushboolean(L, timeout); + runCallbacks(2, RUN_CALLBACKS_MODE_FIRST); } void ScriptApiPlayer::on_cheat(ServerActiveObject *player, diff --git a/src/script/cpp_api/s_player.h b/src/script/cpp_api/s_player.h index 2e4dc2222..86ee1b024 100644 --- a/src/script/cpp_api/s_player.h +++ b/src/script/cpp_api/s_player.h @@ -38,7 +38,7 @@ public: bool on_prejoinplayer(const std::string &name, const std::string &ip, std::string *reason); void on_joinplayer(ServerActiveObject *player); - void on_leaveplayer(ServerActiveObject *player); + void on_leaveplayer(ServerActiveObject *player, bool timeout); void on_cheat(ServerActiveObject *player, const std::string &cheat_type); bool on_punchplayer(ServerActiveObject *player, ServerActiveObject *hitter, float time_from_last_punch, diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp index 730235c7b..1b1f148cd 100644 --- a/src/script/cpp_api/s_security.cpp +++ b/src/script/cpp_api/s_security.cpp @@ -249,8 +249,8 @@ bool ScriptApiSecurity::isSecure(lua_State *L) #define CHECK_FILE_ERR(ret, fp) \ if (ret) { \ - if (fp) std::fclose(fp); \ lua_pushfstring(L, "%s: %s", path, strerror(errno)); \ + if (fp) std::fclose(fp); \ return false; \ } @@ -285,39 +285,50 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path) if (c == LUA_SIGNATURE[0]) { lua_pushliteral(L, "Bytecode prohibited when mod security is enabled."); + std::fclose(fp); + if (path) { + delete [] chunk_name; + } return false; } // Read the file int ret = std::fseek(fp, 0, SEEK_END); CHECK_FILE_ERR(ret, fp); - if (ret) { - std::fclose(fp); - lua_pushfstring(L, "%s: %s", path, strerror(errno)); - return false; - } + size_t size = std::ftell(fp) - start; char *code = new char[size]; ret = std::fseek(fp, start, SEEK_SET); - CHECK_FILE_ERR(ret, fp); if (ret) { - std::fclose(fp); lua_pushfstring(L, "%s: %s", path, strerror(errno)); + std::fclose(fp); + delete [] code; + if (path) { + delete [] chunk_name; + } return false; } + size_t num_read = std::fread(code, 1, size, fp); if (path) { std::fclose(fp); } if (num_read != size) { lua_pushliteral(L, "Error reading file to load."); + delete [] code; + if (path) { + delete [] chunk_name; + } return false; } if (luaL_loadbuffer(L, code, size, chunk_name)) { + delete [] code; return false; } + delete [] code; + if (path) { delete [] chunk_name; } @@ -325,12 +336,15 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path) } -bool ScriptApiSecurity::checkPath(lua_State *L, const char *path) +bool ScriptApiSecurity::checkPath(lua_State *L, const char *path, + bool write_required, bool *write_allowed) { + if (write_allowed) + *write_allowed = false; + std::string str; // Transient - std::string norel_path = fs::RemoveRelativePathComponents(path); - std::string abs_path = fs::AbsolutePath(norel_path); + std::string abs_path = fs::AbsolutePath(path); if (!abs_path.empty()) { // Don't allow accessing the settings file @@ -341,18 +355,29 @@ bool ScriptApiSecurity::checkPath(lua_State *L, const char *path) // If we couldn't find the absolute path (path doesn't exist) then // try removing the last components until it works (to allow // non-existent files/folders for mkdir). - std::string cur_path = norel_path; + std::string cur_path = path; std::string removed; while (abs_path.empty() && !cur_path.empty()) { - std::string tmp_rmed; - cur_path = fs::RemoveLastPathComponent(cur_path, &tmp_rmed); - removed = tmp_rmed + (removed.empty() ? "" : DIR_DELIM + removed); + std::string component; + cur_path = fs::RemoveLastPathComponent(cur_path, &component); + if (component == "..") { + // Parent components can't be allowed or we could allow something like + // /home/user/minetest/worlds/foo/noexist/../../../../../../etc/passwd. + // If we have previous non-relative elements in the path we might be + // able to remove them so that things like worlds/foo/noexist/../auth.txt + // could be allowed, but those paths will be interpreted as nonexistent + // by the operating system anyways. + return false; + } + removed = component + (removed.empty() ? "" : DIR_DELIM + removed); abs_path = fs::AbsolutePath(cur_path); } - if (abs_path.empty()) return false; + if (abs_path.empty()) + return false; // Add the removed parts back so that you can't, eg, create a // directory in worldmods if worldmods doesn't exist. - if (!removed.empty()) abs_path += DIR_DELIM + removed; + if (!removed.empty()) + abs_path += DIR_DELIM + removed; // Get server from registry lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI); @@ -369,32 +394,53 @@ bool ScriptApiSecurity::checkPath(lua_State *L, const char *path) // Builtin can access anything if (mod_name == BUILTIN_MOD_NAME) { + if (write_allowed) *write_allowed = true; return true; } // Allow paths in mod path - const ModSpec *mod = server->getModSpec(mod_name); - if (mod) { - str = fs::AbsolutePath(mod->path); + // Don't bother if write access isn't important, since it will be handled later + if (write_required || write_allowed != NULL) { + const ModSpec *mod = server->getModSpec(mod_name); + if (mod) { + str = fs::AbsolutePath(mod->path); + if (!str.empty() && fs::PathStartsWith(abs_path, str)) { + if (write_allowed) *write_allowed = true; + return true; + } + } + } + } + lua_pop(L, 1); // Pop mod name + + // Allow read-only access to all mod directories + if (!write_required) { + const std::vector<ModSpec> mods = server->getMods(); + for (size_t i = 0; i < mods.size(); ++i) { + str = fs::AbsolutePath(mods[i].path); if (!str.empty() && fs::PathStartsWith(abs_path, str)) { return true; } } } - lua_pop(L, 1); // Pop mod name str = fs::AbsolutePath(server->getWorldPath()); - if (str.empty()) return false; - // Don't allow access to world mods. We add to the absolute path - // of the world instead of getting the absolute paths directly - // because that won't work if they don't exist. - if (fs::PathStartsWith(abs_path, str + DIR_DELIM + "worldmods") || - fs::PathStartsWith(abs_path, str + DIR_DELIM + "game")) { - return false; - } - // Allow all other paths in world path - if (fs::PathStartsWith(abs_path, str)) { - return true; + if (!str.empty()) { + // Don't allow access to other paths in the world mod/game path. + // These have to be blocked so you can't override a trusted mod + // by creating a mod with the same name in a world mod directory. + // We add to the absolute path of the world instead of getting + // the absolute paths directly because that won't work if they + // don't exist. + if (fs::PathStartsWith(abs_path, str + DIR_DELIM + "worldmods") || + fs::PathStartsWith(abs_path, str + DIR_DELIM + "game")) { + return false; + } + // Allow all other paths in world path + if (fs::PathStartsWith(abs_path, str)) { + if (write_allowed) *write_allowed = true; + return true; + } } // Default to disallowing @@ -465,7 +511,7 @@ int ScriptApiSecurity::sl_g_loadfile(lua_State *L) if (lua_isstring(L, 1)) { path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL); } if (!safeLoadFile(L, path)) { @@ -514,14 +560,28 @@ int ScriptApiSecurity::sl_g_require(lua_State *L) int ScriptApiSecurity::sl_io_open(lua_State *L) { + bool with_mode = lua_gettop(L) > 1; + luaL_checktype(L, 1, LUA_TSTRING); const char *path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + + bool write_requested = false; + if (with_mode) { + luaL_checktype(L, 2, LUA_TSTRING); + const char *mode = lua_tostring(L, 2); + write_requested = strchr(mode, 'w') != NULL || + strchr(mode, '+') != NULL || + strchr(mode, 'a') != NULL; + } + CHECK_SECURE_PATH_INTERNAL(L, path, write_requested, NULL); push_original(L, "io", "open"); lua_pushvalue(L, 1); - lua_pushvalue(L, 2); - lua_call(L, 2, 2); + if (with_mode) { + lua_pushvalue(L, 2); + } + + lua_call(L, with_mode ? 2 : 1, 2); return 2; } @@ -530,7 +590,7 @@ int ScriptApiSecurity::sl_io_input(lua_State *L) { if (lua_isstring(L, 1)) { const char *path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL); } push_original(L, "io", "input"); @@ -544,7 +604,7 @@ int ScriptApiSecurity::sl_io_output(lua_State *L) { if (lua_isstring(L, 1)) { const char *path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL); } push_original(L, "io", "output"); @@ -558,16 +618,16 @@ int ScriptApiSecurity::sl_io_lines(lua_State *L) { if (lua_isstring(L, 1)) { const char *path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL); } + int top_precall = lua_gettop(L); push_original(L, "io", "lines"); lua_pushvalue(L, 1); - int top_precall = lua_gettop(L); lua_call(L, 1, LUA_MULTRET); // Return number of arguments returned by the function, // adjusting for the function being poped. - return lua_gettop(L) - (top_precall - 1); + return lua_gettop(L) - top_precall; } @@ -575,11 +635,11 @@ int ScriptApiSecurity::sl_os_rename(lua_State *L) { luaL_checktype(L, 1, LUA_TSTRING); const char *path1 = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path1); + CHECK_SECURE_PATH_INTERNAL(L, path1, true, NULL); luaL_checktype(L, 2, LUA_TSTRING); const char *path2 = lua_tostring(L, 2); - CHECK_SECURE_PATH(L, path2); + CHECK_SECURE_PATH_INTERNAL(L, path2, true, NULL); push_original(L, "os", "rename"); lua_pushvalue(L, 1); @@ -593,7 +653,7 @@ int ScriptApiSecurity::sl_os_remove(lua_State *L) { luaL_checktype(L, 1, LUA_TSTRING); const char *path = lua_tostring(L, 1); - CHECK_SECURE_PATH(L, path); + CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL); push_original(L, "os", "remove"); lua_pushvalue(L, 1); diff --git a/src/script/cpp_api/s_security.h b/src/script/cpp_api/s_security.h index 97bc5c067..6876108e8 100644 --- a/src/script/cpp_api/s_security.h +++ b/src/script/cpp_api/s_security.h @@ -23,14 +23,18 @@ with this program; if not, write to the Free Software Foundation, Inc., #include "cpp_api/s_base.h" -#define CHECK_SECURE_PATH(L, path) \ - if (!ScriptApiSecurity::checkPath(L, path)) { \ - throw LuaError(std::string("Attempt to access external file ") + \ - path + " with mod security on."); \ +#define CHECK_SECURE_PATH_INTERNAL(L, path, write_required, ptr) \ + if (!ScriptApiSecurity::checkPath(L, path, write_required, ptr)) { \ + throw LuaError(std::string("Mod security: Blocked attempted ") + \ + (write_required ? "write to " : "read from ") + path); \ } -#define CHECK_SECURE_PATH_OPTIONAL(L, path) \ +#define CHECK_SECURE_PATH(L, path, write_required) \ if (ScriptApiSecurity::isSecure(L)) { \ - CHECK_SECURE_PATH(L, path); \ + CHECK_SECURE_PATH_INTERNAL(L, path, write_required, NULL); \ + } +#define CHECK_SECURE_PATH_POSSIBLE_WRITE(L, path, ptr) \ + if (ScriptApiSecurity::isSecure(L)) { \ + CHECK_SECURE_PATH_INTERNAL(L, path, false, ptr); \ } @@ -43,8 +47,9 @@ public: static bool isSecure(lua_State *L); // Loads a file as Lua code safely (doesn't allow bytecode). static bool safeLoadFile(lua_State *L, const char *path); - // Checks if mods are allowed to read and write to the path - static bool checkPath(lua_State *L, const char *path); + // Checks if mods are allowed to read (and optionally write) to the path + static bool checkPath(lua_State *L, const char *path, bool write_required, + bool *write_allowed=NULL); private: // Syntax: "sl_" <Library name or 'g' (global)> '_' <Function name> |