From 59f84ca0a07e50dd5ce050d38ae1aeb529bd25ac Mon Sep 17 00:00:00 2001 From: ShadowNinja Date: Mon, 5 Dec 2016 19:59:15 +0000 Subject: Mod security: Allow read-only access to all mod paths --- src/script/lua_api/l_areastore.cpp | 4 ++-- src/script/lua_api/l_mapgen.cpp | 2 +- src/script/lua_api/l_settings.cpp | 13 ++++++++++--- src/script/lua_api/l_settings.h | 3 ++- src/script/lua_api/l_util.cpp | 4 ++-- 5 files changed, 17 insertions(+), 9 deletions(-) (limited to 'src/script/lua_api') diff --git a/src/script/lua_api/l_areastore.cpp b/src/script/lua_api/l_areastore.cpp index 0912e2ab0..09a5c78f9 100644 --- a/src/script/lua_api/l_areastore.cpp +++ b/src/script/lua_api/l_areastore.cpp @@ -263,7 +263,7 @@ int LuaAreaStore::l_to_file(lua_State *L) AreaStore *ast = o->as; const char *filename = luaL_checkstring(L, 2); - CHECK_SECURE_PATH_OPTIONAL(L, filename); + CHECK_SECURE_PATH(L, filename, true); std::ostringstream os(std::ios_base::binary); ast->serialize(os); @@ -294,7 +294,7 @@ int LuaAreaStore::l_from_file(lua_State *L) LuaAreaStore *o = checkobject(L, 1); const char *filename = luaL_checkstring(L, 2); - CHECK_SECURE_PATH_OPTIONAL(L, filename); + CHECK_SECURE_PATH(L, filename, false); std::ifstream is(filename, std::ios::binary); return deserialization_helper(L, o->as, is); diff --git a/src/script/lua_api/l_mapgen.cpp b/src/script/lua_api/l_mapgen.cpp index 281f68e46..bc1c32f03 100644 --- a/src/script/lua_api/l_mapgen.cpp +++ b/src/script/lua_api/l_mapgen.cpp @@ -1295,7 +1295,7 @@ int ModApiMapgen::l_create_schematic(lua_State *L) INodeDefManager *ndef = getServer(L)->getNodeDefManager(); const char *filename = luaL_checkstring(L, 4); - CHECK_SECURE_PATH_OPTIONAL(L, filename); + CHECK_SECURE_PATH(L, filename, true); Map *map = &(getEnv(L)->getMap()); Schematic schem; diff --git a/src/script/lua_api/l_settings.cpp b/src/script/lua_api/l_settings.cpp index 35b82b435..ea3d50857 100644 --- a/src/script/lua_api/l_settings.cpp +++ b/src/script/lua_api/l_settings.cpp @@ -118,6 +118,11 @@ int LuaSettings::l_write(lua_State* L) NO_MAP_LOCK_REQUIRED; LuaSettings* o = checkobject(L, 1); + if (!o->m_write_allowed) { + throw LuaError("Settings: writing " + o->m_filename + + " not allowed with mod security on."); + } + bool success = o->m_settings->updateConfigFile(o->m_filename.c_str()); lua_pushboolean(L, success); @@ -142,8 +147,9 @@ int LuaSettings::l_to_table(lua_State* L) return 1; } -LuaSettings::LuaSettings(const char* filename) +LuaSettings::LuaSettings(const char* filename, bool write_allowed) { + m_write_allowed = write_allowed; m_filename = std::string(filename); m_settings = new Settings(); @@ -188,9 +194,10 @@ void LuaSettings::Register(lua_State* L) int LuaSettings::create_object(lua_State* L) { NO_MAP_LOCK_REQUIRED; + bool write_allowed; const char* filename = luaL_checkstring(L, 1); - CHECK_SECURE_PATH_OPTIONAL(L, filename); - LuaSettings* o = new LuaSettings(filename); + CHECK_SECURE_PATH_POSSIBLE_WRITE(L, filename, &write_allowed); + LuaSettings* o = new LuaSettings(filename, write_allowed); *(void **)(lua_newuserdata(L, sizeof(void *))) = o; luaL_getmetatable(L, className); lua_setmetatable(L, -2); diff --git a/src/script/lua_api/l_settings.h b/src/script/lua_api/l_settings.h index cb0c09a73..bca333e31 100644 --- a/src/script/lua_api/l_settings.h +++ b/src/script/lua_api/l_settings.h @@ -53,11 +53,12 @@ private: // to_table(self) -> {[key1]=value1,...} static int l_to_table(lua_State* L); + bool m_write_allowed; Settings* m_settings; std::string m_filename; public: - LuaSettings(const char* filename); + LuaSettings(const char* filename, bool write_allowed); ~LuaSettings(); // LuaSettings(filename) diff --git a/src/script/lua_api/l_util.cpp b/src/script/lua_api/l_util.cpp index 818c1aeeb..26e2b985c 100644 --- a/src/script/lua_api/l_util.cpp +++ b/src/script/lua_api/l_util.cpp @@ -388,7 +388,7 @@ int ModApiUtil::l_mkdir(lua_State *L) { NO_MAP_LOCK_REQUIRED; const char *path = luaL_checkstring(L, 1); - CHECK_SECURE_PATH_OPTIONAL(L, path); + CHECK_SECURE_PATH(L, path, true); lua_pushboolean(L, fs::CreateAllDirs(path)); return 1; } @@ -400,7 +400,7 @@ int ModApiUtil::l_get_dir_list(lua_State *L) const char *path = luaL_checkstring(L, 1); short is_dir = lua_isboolean(L, 2) ? lua_toboolean(L, 2) : -1; - CHECK_SECURE_PATH_OPTIONAL(L, path); + CHECK_SECURE_PATH(L, path, false); std::vector list = fs::GetDirListing(path); -- cgit v1.2.3