From 8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Thu, 5 Mar 2020 22:03:04 +0100
Subject: Fix potential security issue(s), documentation on
 minetest.deserialize() (#9369)

Also adds an unittest
---
 builtin/common/tests/serialize_spec.lua | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'builtin/common/tests')

diff --git a/builtin/common/tests/serialize_spec.lua b/builtin/common/tests/serialize_spec.lua
index 321d2766a..c41b0a372 100644
--- a/builtin/common/tests/serialize_spec.lua
+++ b/builtin/common/tests/serialize_spec.lua
@@ -1,6 +1,6 @@
 _G.core = {}
 
-_G.setfenv = function() end
+_G.setfenv = require 'busted.compatibility'.setfenv
 
 dofile("builtin/common/serialize.lua")
 
@@ -25,4 +25,20 @@ describe("serialize", function()
 		local test_out = core.deserialize(core.serialize(test_in))
 		assert.same(test_in, test_out)
 	end)
+
+	it("strips functions in safe mode", function()
+		local test_in = {
+			func = function(a, b)
+				error("test")
+			end,
+			foo = "bar"
+		}
+
+		local str = core.serialize(test_in)
+		assert.not_nil(str:find("loadstring"))
+
+		local test_out = core.deserialize(str, true)
+		assert.is_nil(test_out.func)
+		assert.equals(test_out.foo, "bar")
+	end)
 end)
-- 
cgit v1.2.3