Add Lua interface to HTTPFetchRequest

This allows mods to perform both asynchronous and synchronous HTTP
requests. Mods are only granted access to HTTP APIs if either mod
security is disabled or if they are whitelisted in any of the
the secure.http_mods and secure.trusted_mods settings.

Adds httpfetch_caller_alloc_secure to generate random, non-predictable
caller IDs so that lua mods cannot spy on each others HTTP queries.

2 files changed, 23 insertions, 0 deletions

diff --git a/builtin/game/misc.lua b/builtin/game/misc.lua
index bacadf18f..d0e67bd88 100644
--- a/builtin/game/misc.lua
+++ b/builtin/game/misc.lua
@@ -178,3 +178,22 @@ function core.raillike_group(name)
 	end
 	return id
 end
+
+-- HTTP callback interface
+function core.http_add_fetch(httpenv)
+	httpenv.fetch = function(req, callback)
+		local handle = httpenv.fetch_async(req)
+
+		local function update_http_status()
+			local res = httpenv.fetch_async_get(handle)
+			if res.completed then
+				callback(res)
+			else
+				core.after(0, update_http_status)
+			end
+		end
+		core.after(0, update_http_status)
+	end
+
+	return httpenv
+end
diff --git a/builtin/settingtypes.txt b/builtin/settingtypes.txt
index c21a0325f..9e1997cc6 100644
--- a/builtin/settingtypes.txt
+++ b/builtin/settingtypes.txt
@@ -1100,6 +1100,10 @@ secure.enable_security (Enable mod security) bool false
 #    functions even when mod security is on (via request_insecure_environment()).
 secure.trusted_mods (Trusted mods) string
 
+#	Comma-seperated list of mods that are allowed to access HTTP APIs, which
+#	allow them to upload and download data to/from the internet.
+secure.http_mods (HTTP Mods) string
+
 [Client and Server]
 
 #    Name of the player.