From 2e3778ec0c1f77007d064d15310fa816e2a07e88 Mon Sep 17 00:00:00 2001 From: red-001 Date: Sat, 28 Jan 2017 21:43:06 +0000 Subject: Block access to the `io` library --- src/script/cpp_api/s_security.cpp | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) (limited to 'src/script') diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp index c6aad71b8..ec3a52e8e 100644 --- a/src/script/cpp_api/s_security.cpp +++ b/src/script/cpp_api/s_security.cpp @@ -123,6 +123,7 @@ void ScriptApiSecurity::initializeSecurity() "path", "searchpath", }; +#if USE_LUAJIT static const char *jit_whitelist[] = { "arch", "flush", @@ -134,7 +135,7 @@ void ScriptApiSecurity::initializeSecurity() "version", "version_num", }; - +#endif m_secure = true; lua_State *L = getStack(); @@ -245,13 +246,6 @@ void ScriptApiSecurity::initializeSecurityClient() "table", "math", }; - static const char *io_whitelist[] = { - "close", - "flush", - "read", - "type", - "write", - }; static const char *os_whitelist[] = { "clock", "date", @@ -263,6 +257,7 @@ void ScriptApiSecurity::initializeSecurityClient() "getinfo", }; +#if USE_LUAJIT static const char *jit_whitelist[] = { "arch", "flush", @@ -274,6 +269,7 @@ void ScriptApiSecurity::initializeSecurityClient() "version", "version_num", }; +#endif m_secure = true; @@ -294,20 +290,6 @@ void ScriptApiSecurity::initializeSecurityClient() lua_pop(L, 1); - // Copy safe IO functions - lua_getfield(L, old_globals, "io"); - lua_newtable(L); - copy_safe(L, io_whitelist, sizeof(io_whitelist)); - - // And replace unsafe ones - SECURE_API(io, open); - SECURE_API(io, input); - SECURE_API(io, output); - SECURE_API(io, lines); - - lua_setglobal(L, "io"); - lua_pop(L, 1); // Pop old IO - // Copy safe OS functions lua_getfield(L, old_globals, "os"); @@ -324,10 +306,6 @@ void ScriptApiSecurity::initializeSecurityClient() lua_setglobal(L, "debug"); lua_pop(L, 1); // Pop old debug - // Remove all of package - lua_newtable(L); - lua_setglobal(L, "package"); - #if USE_LUAJIT // Copy safe jit functions, if they exist lua_getfield(L, -1, "jit"); -- cgit v1.2.3