From 8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Thu, 5 Mar 2020 22:03:04 +0100
Subject: Fix potential security issue(s), documentation on
 minetest.deserialize() (#9369)

Also adds an unittest
---
 doc/lua_api.txt | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'doc')

diff --git a/doc/lua_api.txt b/doc/lua_api.txt
index 10ede5168..acf2f77c1 100644
--- a/doc/lua_api.txt
+++ b/doc/lua_api.txt
@@ -5275,10 +5275,16 @@ Misc.
     * Convert a table containing tables, strings, numbers, booleans and `nil`s
       into string form readable by `minetest.deserialize`
     * Example: `serialize({foo='bar'})`, returns `'return { ["foo"] = "bar" }'`
-* `minetest.deserialize(string)`: returns a table
-    * Convert a string returned by `minetest.deserialize` into a table
+* `minetest.deserialize(string[, safe])`: returns a table
+    * Convert a string returned by `minetest.serialize` into a table
     * `string` is loaded in an empty sandbox environment.
-    * Will load functions, but they cannot access the global environment.
+    * Will load functions if safe is false or omitted. Although these functions
+      cannot directly access the global environment, they could bypass this
+      restriction with maliciously crafted Lua bytecode if mod security is
+      disabled.
+    * This function should not be used on untrusted data, regardless of the
+     value of `safe`. It is fine to serialize then deserialize user-provided
+     data, but directly providing user input to deserialize is always unsafe.
     * Example: `deserialize('return { ["foo"] = "bar" }')`,
       returns `{foo='bar'}`
     * Example: `deserialize('print("foo")')`, returns `nil`
-- 
cgit v1.2.3