From 59f84ca0a07e50dd5ce050d38ae1aeb529bd25ac Mon Sep 17 00:00:00 2001 From: ShadowNinja Date: Mon, 5 Dec 2016 19:59:15 +0000 Subject: Mod security: Allow read-only access to all mod paths --- src/script/cpp_api/s_security.h | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'src/script/cpp_api/s_security.h') diff --git a/src/script/cpp_api/s_security.h b/src/script/cpp_api/s_security.h index 97bc5c067..6876108e8 100644 --- a/src/script/cpp_api/s_security.h +++ b/src/script/cpp_api/s_security.h @@ -23,14 +23,18 @@ with this program; if not, write to the Free Software Foundation, Inc., #include "cpp_api/s_base.h" -#define CHECK_SECURE_PATH(L, path) \ - if (!ScriptApiSecurity::checkPath(L, path)) { \ - throw LuaError(std::string("Attempt to access external file ") + \ - path + " with mod security on."); \ +#define CHECK_SECURE_PATH_INTERNAL(L, path, write_required, ptr) \ + if (!ScriptApiSecurity::checkPath(L, path, write_required, ptr)) { \ + throw LuaError(std::string("Mod security: Blocked attempted ") + \ + (write_required ? "write to " : "read from ") + path); \ } -#define CHECK_SECURE_PATH_OPTIONAL(L, path) \ +#define CHECK_SECURE_PATH(L, path, write_required) \ if (ScriptApiSecurity::isSecure(L)) { \ - CHECK_SECURE_PATH(L, path); \ + CHECK_SECURE_PATH_INTERNAL(L, path, write_required, NULL); \ + } +#define CHECK_SECURE_PATH_POSSIBLE_WRITE(L, path, ptr) \ + if (ScriptApiSecurity::isSecure(L)) { \ + CHECK_SECURE_PATH_INTERNAL(L, path, false, ptr); \ } @@ -43,8 +47,9 @@ public: static bool isSecure(lua_State *L); // Loads a file as Lua code safely (doesn't allow bytecode). static bool safeLoadFile(lua_State *L, const char *path); - // Checks if mods are allowed to read and write to the path - static bool checkPath(lua_State *L, const char *path); + // Checks if mods are allowed to read (and optionally write) to the path + static bool checkPath(lua_State *L, const char *path, bool write_required, + bool *write_allowed=NULL); private: // Syntax: "sl_" '_' -- cgit v1.2.3