From f4054595482bf4573075f45d3ca56076a0d6113e Mon Sep 17 00:00:00 2001 From: sfan5 Date: Fri, 17 Dec 2021 18:35:30 +0100 Subject: Remove setlocal and setupvalue from `debug` table whitelist It's likely that these could be used trick mods into revealing the insecure environment even if they do everything right (which is already hard enough). --- src/script/cpp_api/s_security.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp index 5faf8cc80..11c277839 100644 --- a/src/script/cpp_api/s_security.cpp +++ b/src/script/cpp_api/s_security.cpp @@ -129,12 +129,10 @@ void ScriptApiSecurity::initializeSecurity() "traceback", "getinfo", "getmetatable", - "setupvalue", "setmetatable", "upvalueid", "sethook", "debug", - "setlocal", }; static const char *package_whitelist[] = { "config", -- cgit v1.2.3