diff options
author | sfan5 <sfan5@live.de> | 2020-03-05 22:03:04 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-05 22:03:04 +0100 |
commit | 8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (patch) | |
tree | 70bf61852c2f7efcb5c9620af6f60a7fb077516e /builtin/common/tests | |
parent | ef09e8a4d6671f5bfac7b6234fbe52c4b836c2be (diff) | |
download | minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.gz minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.bz2 minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.zip |
Fix potential security issue(s), documentation on minetest.deserialize() (#9369)
Also adds an unittest
Diffstat (limited to 'builtin/common/tests')
-rw-r--r-- | builtin/common/tests/serialize_spec.lua | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/builtin/common/tests/serialize_spec.lua b/builtin/common/tests/serialize_spec.lua index 321d2766a..c41b0a372 100644 --- a/builtin/common/tests/serialize_spec.lua +++ b/builtin/common/tests/serialize_spec.lua @@ -1,6 +1,6 @@ _G.core = {} -_G.setfenv = function() end +_G.setfenv = require 'busted.compatibility'.setfenv dofile("builtin/common/serialize.lua") @@ -25,4 +25,20 @@ describe("serialize", function() local test_out = core.deserialize(core.serialize(test_in)) assert.same(test_in, test_out) end) + + it("strips functions in safe mode", function() + local test_in = { + func = function(a, b) + error("test") + end, + foo = "bar" + } + + local str = core.serialize(test_in) + assert.not_nil(str:find("loadstring")) + + local test_out = core.deserialize(str, true) + assert.is_nil(test_out.func) + assert.equals(test_out.foo, "bar") + end) end) |