Block access to the `io` library
authorred-001 <red-001@outlook.ie>
Sat, 28 Jan 2017 21:43:06 +0000 (21:43 +0000)
committerLoic Blot <loic.blot@unix-experience.fr>
Sun, 19 Mar 2017 11:34:33 +0000 (12:34 +0100)
builtin/common/misc_helpers.lua
src/script/cpp_api/s_security.cpp

index e145a5bfc2507b5b50744e382b1591131b28f010..a1417dbd4d401831f11581bf100d18a537f5c6ef 100644 (file)
@@ -197,16 +197,17 @@ assert(table.indexof({"foo", "bar"}, "foo") == 1)
 assert(table.indexof({"foo", "bar"}, "baz") == -1)
 
 --------------------------------------------------------------------------------
-function file_exists(filename)
-       local f = io.open(filename, "r")
-       if f == nil then
-               return false
-       else
-               f:close()
-               return true
+if INIT ~= "client" then
+       function file_exists(filename)
+               local f = io.open(filename, "r")
+               if f == nil then
+                       return false
+               else
+                       f:close()
+                       return true
+               end
        end
 end
-
 --------------------------------------------------------------------------------
 function string:trim()
        return (self:gsub("^%s*(.-)%s*$", "%1"))
index c6aad71b8e896321f3058de1cf8e9d5bb18b4d38..ec3a52e8e8afdbad67da1f82f6bb1fa3305d1600 100644 (file)
@@ -123,6 +123,7 @@ void ScriptApiSecurity::initializeSecurity()
                "path",
                "searchpath",
        };
+#if USE_LUAJIT
        static const char *jit_whitelist[] = {
                "arch",
                "flush",
@@ -134,7 +135,7 @@ void ScriptApiSecurity::initializeSecurity()
                "version",
                "version_num",
        };
-
+#endif
        m_secure = true;
 
        lua_State *L = getStack();
@@ -245,13 +246,6 @@ void ScriptApiSecurity::initializeSecurityClient()
                "table",
                "math",
        };
-       static const char *io_whitelist[] = {
-               "close",
-               "flush",
-               "read",
-               "type",
-               "write",
-       };
        static const char *os_whitelist[] = {
                "clock",
                "date",
@@ -263,6 +257,7 @@ void ScriptApiSecurity::initializeSecurityClient()
                "getinfo",
        };
 
+#if USE_LUAJIT
        static const char *jit_whitelist[] = {
                "arch",
                "flush",
@@ -274,6 +269,7 @@ void ScriptApiSecurity::initializeSecurityClient()
                "version",
                "version_num",
        };
+#endif
 
        m_secure = true;
 
@@ -294,20 +290,6 @@ void ScriptApiSecurity::initializeSecurityClient()
        lua_pop(L, 1);
 
 
-       // Copy safe IO functions
-       lua_getfield(L, old_globals, "io");
-       lua_newtable(L);
-       copy_safe(L, io_whitelist, sizeof(io_whitelist));
-
-       // And replace unsafe ones
-       SECURE_API(io, open);
-       SECURE_API(io, input);
-       SECURE_API(io, output);
-       SECURE_API(io, lines);
-
-       lua_setglobal(L, "io");
-       lua_pop(L, 1);  // Pop old IO
-
 
        // Copy safe OS functions
        lua_getfield(L, old_globals, "os");
@@ -324,10 +306,6 @@ void ScriptApiSecurity::initializeSecurityClient()
        lua_setglobal(L, "debug");
        lua_pop(L, 1);  // Pop old debug
 
-       // Remove all of package
-       lua_newtable(L);
-       lua_setglobal(L, "package");
-
 #if USE_LUAJIT
        // Copy safe jit functions, if they exist
        lua_getfield(L, -1, "jit");