123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906 |
- /*
- Minetest
- Copyright (C) 2013 celeron55, Perttu Ahola <celeron55@gmail.com>
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Lesser General Public License for more details.
- You should have received a copy of the GNU Lesser General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
- #include "cpp_api/s_security.h"
- #include "lua_api/l_base.h"
- #include "filesys.h"
- #include "porting.h"
- #include "server.h"
- #include "client/client.h"
- #include "settings.h"
- #include <cerrno>
- #include <string>
- #include <algorithm>
- #include <iostream>
- #define SECURE_API(lib, name) \
- lua_pushcfunction(L, sl_##lib##_##name); \
- lua_setfield(L, -2, #name);
- static inline void copy_safe(lua_State *L, const char *list[], unsigned len, int from=-2, int to=-1)
- {
- if (from < 0) from = lua_gettop(L) + from + 1;
- if (to < 0) to = lua_gettop(L) + to + 1;
- for (unsigned i = 0; i < (len / sizeof(list[0])); i++) {
- lua_getfield(L, from, list[i]);
- lua_setfield(L, to, list[i]);
- }
- }
- static void shallow_copy_table(lua_State *L, int from=-2, int to=-1)
- {
- if (from < 0) from = lua_gettop(L) + from + 1;
- if (to < 0) to = lua_gettop(L) + to + 1;
- lua_pushnil(L);
- while (lua_next(L, from) != 0) {
- assert(lua_type(L, -1) != LUA_TTABLE);
- // duplicate key and value for lua_rawset
- lua_pushvalue(L, -2);
- lua_pushvalue(L, -2);
- lua_rawset(L, to);
- lua_pop(L, 1);
- }
- }
- // Pushes the original version of a library function on the stack, from the old version
- static inline void push_original(lua_State *L, const char *lib, const char *func)
- {
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- lua_getfield(L, -1, lib);
- lua_remove(L, -2); // Remove globals_backup
- lua_getfield(L, -1, func);
- lua_remove(L, -2); // Remove lib
- }
- void ScriptApiSecurity::initializeSecurity()
- {
- static const char *whitelist[] = {
- "assert",
- "core",
- "collectgarbage",
- "DIR_DELIM",
- "error",
- "getfenv",
- "getmetatable",
- "ipairs",
- "next",
- "pairs",
- "pcall",
- "print",
- "rawequal",
- "rawget",
- "rawset",
- "select",
- "setfenv",
- "setmetatable",
- "tonumber",
- "tostring",
- "type",
- "unpack",
- "_VERSION",
- "xpcall",
- };
- static const char *whitelist_tables[] = {
- // These libraries are completely safe BUT we need to duplicate their table
- // to ensure the sandbox can't affect the insecure env
- "coroutine",
- "string",
- "table",
- "math",
- "bit"
- };
- static const char *io_whitelist[] = {
- "close",
- "flush",
- "read",
- "type",
- "write",
- };
- static const char *os_whitelist[] = {
- "clock",
- "date",
- "difftime",
- "getenv",
- "time",
- };
- static const char *debug_whitelist[] = {
- "gethook",
- "traceback",
- "getinfo",
- "upvalueid",
- "sethook",
- "debug",
- };
- static const char *package_whitelist[] = {
- "config",
- "cpath",
- "path",
- "searchpath",
- };
- #if USE_LUAJIT
- static const char *jit_whitelist[] = {
- "arch",
- "flush",
- "off",
- "on",
- "opt",
- "os",
- "status",
- "version",
- "version_num",
- };
- #endif
- m_secure = true;
- lua_State *L = getStack();
- // Backup globals to the registry
- lua_getglobal(L, "_G");
- lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- // Replace the global environment with an empty one
- int thread = getThread(L);
- createEmptyEnv(L);
- setLuaEnv(L, thread);
- // Get old globals
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- int old_globals = lua_gettop(L);
- // Copy safe base functions
- lua_getglobal(L, "_G");
- copy_safe(L, whitelist, sizeof(whitelist));
- // And replace unsafe ones
- SECURE_API(g, dofile);
- SECURE_API(g, load);
- SECURE_API(g, loadfile);
- SECURE_API(g, loadstring);
- SECURE_API(g, require);
- lua_pop(L, 1);
- // Copy safe libraries
- for (const char *libname : whitelist_tables) {
- lua_getfield(L, old_globals, libname);
- lua_newtable(L);
- shallow_copy_table(L);
- lua_setglobal(L, libname);
- lua_pop(L, 1);
- }
- // Copy safe IO functions
- lua_getfield(L, old_globals, "io");
- lua_newtable(L);
- copy_safe(L, io_whitelist, sizeof(io_whitelist));
- // And replace unsafe ones
- SECURE_API(io, open);
- SECURE_API(io, input);
- SECURE_API(io, output);
- SECURE_API(io, lines);
- lua_setglobal(L, "io");
- lua_pop(L, 1); // Pop old IO
- // Copy safe OS functions
- lua_getfield(L, old_globals, "os");
- lua_newtable(L);
- copy_safe(L, os_whitelist, sizeof(os_whitelist));
- // And replace unsafe ones
- SECURE_API(os, remove);
- SECURE_API(os, rename);
- SECURE_API(os, setlocale);
- lua_setglobal(L, "os");
- lua_pop(L, 1); // Pop old OS
- // Copy safe debug functions
- lua_getfield(L, old_globals, "debug");
- lua_newtable(L);
- copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
- lua_setglobal(L, "debug");
- lua_pop(L, 1); // Pop old debug
- // Copy safe package fields
- lua_getfield(L, old_globals, "package");
- lua_newtable(L);
- copy_safe(L, package_whitelist, sizeof(package_whitelist));
- lua_setglobal(L, "package");
- lua_pop(L, 1); // Pop old package
- #if USE_LUAJIT
- // Copy safe jit functions, if they exist
- lua_getfield(L, -1, "jit");
- if (!lua_isnil(L, -1)) {
- lua_newtable(L);
- copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
- lua_setglobal(L, "jit");
- }
- lua_pop(L, 1); // Pop old jit
- #endif
- // Get rid of 'core' in the old globals, we don't want anyone thinking it's
- // safe or even usable.
- lua_pushnil(L);
- lua_setfield(L, old_globals, "core");
- lua_pop(L, 1); // Pop globals_backup
- /*
- * In addition to copying the tables in whitelist_tables, we also need to
- * replace the string metatable. Otherwise old_globals.string would
- * be accessible via getmetatable("").__index from inside the sandbox.
- */
- lua_pushliteral(L, "");
- lua_newtable(L);
- lua_getglobal(L, "string");
- lua_setfield(L, -2, "__index");
- lua_setmetatable(L, -2);
- lua_pop(L, 1); // Pop empty string
- }
- void ScriptApiSecurity::initializeSecurityClient()
- {
- static const char *whitelist[] = {
- "assert",
- "core",
- "collectgarbage",
- "DIR_DELIM",
- "error",
- "getfenv",
- "ipairs",
- "next",
- "pairs",
- "pcall",
- "print",
- "rawequal",
- "rawget",
- "rawset",
- "select",
- "setfenv",
- "getmetatable",
- "setmetatable",
- "tonumber",
- "tostring",
- "type",
- "unpack",
- "_VERSION",
- "xpcall",
- // Completely safe libraries
- "coroutine",
- "string",
- "table",
- "math",
- "bit",
- };
- static const char *os_whitelist[] = {
- "clock",
- "date",
- "difftime",
- "time"
- };
- static const char *debug_whitelist[] = {
- "getinfo", // used by builtin and unset before mods load
- "traceback"
- };
- #if USE_LUAJIT
- static const char *jit_whitelist[] = {
- "arch",
- "flush",
- "off",
- "on",
- "opt",
- "os",
- "status",
- "version",
- "version_num",
- };
- #endif
- m_secure = true;
- lua_State *L = getStack();
- int thread = getThread(L);
- // create an empty environment
- createEmptyEnv(L);
- // Copy safe base functions
- lua_getglobal(L, "_G");
- lua_getfield(L, -2, "_G");
- copy_safe(L, whitelist, sizeof(whitelist));
- // And replace unsafe ones
- SECURE_API(g, dofile);
- SECURE_API(g, load);
- SECURE_API(g, loadfile);
- SECURE_API(g, loadstring);
- SECURE_API(g, require);
- lua_pop(L, 2);
- // Copy safe OS functions
- lua_getglobal(L, "os");
- lua_newtable(L);
- copy_safe(L, os_whitelist, sizeof(os_whitelist));
- lua_setfield(L, -3, "os");
- lua_pop(L, 1); // Pop old OS
- // Copy safe debug functions
- lua_getglobal(L, "debug");
- lua_newtable(L);
- copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
- lua_setfield(L, -3, "debug");
- lua_pop(L, 1); // Pop old debug
- #if USE_LUAJIT
- // Copy safe jit functions, if they exist
- lua_getglobal(L, "jit");
- lua_newtable(L);
- copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
- lua_setfield(L, -3, "jit");
- lua_pop(L, 1); // Pop old jit
- #endif
- // Set the environment to the one we created earlier
- setLuaEnv(L, thread);
- }
- int ScriptApiSecurity::getThread(lua_State *L)
- {
- #if LUA_VERSION_NUM <= 501
- int is_main = lua_pushthread(L); // Push the main thread
- FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state "
- "isn't the main Lua thread!");
- return lua_gettop(L);
- #endif
- return 0;
- }
- void ScriptApiSecurity::createEmptyEnv(lua_State *L)
- {
- lua_newtable(L); // Create new environment
- lua_pushvalue(L, -1);
- lua_setfield(L, -2, "_G"); // Create the _G loop
- }
- void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
- {
- #if LUA_VERSION_NUM >= 502 // Lua >= 5.2
- // Set the global environment
- lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS);
- #else // Lua <= 5.1
- // Set the environment of the main thread
- FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set "
- "environment of the main Lua thread!");
- lua_pop(L, 1); // Pop thread
- #endif
- }
- bool ScriptApiSecurity::isSecure(lua_State *L)
- {
- #ifndef SERVER
- auto script = ModApiBase::getScriptApiBase(L);
- // CSM keeps no globals backup but is always secure
- if (script->getType() == ScriptingType::Client)
- return true;
- #endif
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- bool secure = !lua_isnil(L, -1);
- lua_pop(L, 1);
- return secure;
- }
- bool ScriptApiSecurity::safeLoadString(lua_State *L, const std::string &code, const char *chunk_name)
- {
- if (code.size() > 0 && code[0] == LUA_SIGNATURE[0]) {
- lua_pushliteral(L, "Bytecode prohibited when mod security is enabled.");
- return false;
- }
- if (luaL_loadbuffer(L, code.data(), code.size(), chunk_name))
- return false;
- return true;
- }
- bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name)
- {
- FILE *fp;
- char *chunk_name;
- if (!display_name)
- display_name = path;
- if (!path) {
- fp = stdin;
- chunk_name = const_cast<char *>("=stdin");
- } else {
- fp = fopen(path, "rb");
- if (!fp) {
- lua_pushfstring(L, "%s: %s", path, strerror(errno));
- return false;
- }
- size_t len = strlen(display_name) + 2;
- chunk_name = new char[len];
- snprintf(chunk_name, len, "@%s", display_name);
- }
- size_t start = 0;
- int c = std::getc(fp);
- if (c == '#') {
- // Skip the first line
- while ((c = std::getc(fp)) != EOF && c != '\n') {}
- if (c == '\n')
- std::getc(fp);
- start = std::ftell(fp);
- }
- // Read the file
- int ret = std::fseek(fp, 0, SEEK_END);
- if (ret) {
- lua_pushfstring(L, "%s: %s", path, strerror(errno));
- if (path) {
- std::fclose(fp);
- delete [] chunk_name;
- }
- return false;
- }
- size_t size = std::ftell(fp) - start;
- std::string code(size, '\0');
- ret = std::fseek(fp, start, SEEK_SET);
- if (ret) {
- lua_pushfstring(L, "%s: %s", path, strerror(errno));
- if (path) {
- std::fclose(fp);
- delete [] chunk_name;
- }
- return false;
- }
- size_t num_read = std::fread(&code[0], 1, size, fp);
- if (path)
- std::fclose(fp);
- if (num_read != size) {
- lua_pushliteral(L, "Error reading file to load.");
- if (path)
- delete [] chunk_name;
- return false;
- }
- bool result = safeLoadString(L, code, chunk_name);
- if (path)
- delete [] chunk_name;
- return result;
- }
- bool ScriptApiSecurity::checkPath(lua_State *L, const char *path,
- bool write_required, bool *write_allowed)
- {
- if (write_allowed)
- *write_allowed = false;
- std::string str; // Transient
- std::string abs_path = fs::AbsolutePath(path);
- if (!abs_path.empty()) {
- // Don't allow accessing the settings file
- str = fs::AbsolutePath(g_settings_path);
- if (str == abs_path) return false;
- }
- // If we couldn't find the absolute path (path doesn't exist) then
- // try removing the last components until it works (to allow
- // non-existent files/folders for mkdir).
- std::string cur_path = path;
- std::string removed;
- while (abs_path.empty() && !cur_path.empty()) {
- std::string component;
- cur_path = fs::RemoveLastPathComponent(cur_path, &component);
- if (component == "..") {
- // Parent components can't be allowed or we could allow something like
- // /home/user/minetest/worlds/foo/noexist/../../../../../../etc/passwd.
- // If we have previous non-relative elements in the path we might be
- // able to remove them so that things like worlds/foo/noexist/../auth.txt
- // could be allowed, but those paths will be interpreted as nonexistent
- // by the operating system anyways.
- return false;
- }
- removed.append(component).append(removed.empty() ? "" : DIR_DELIM + removed);
- abs_path = fs::AbsolutePath(cur_path);
- }
- if (abs_path.empty())
- return false;
- // Add the removed parts back so that you can't, eg, create a
- // directory in worldmods if worldmods doesn't exist.
- if (!removed.empty())
- abs_path += DIR_DELIM + removed;
- // Get gamedef from registry
- ScriptApiBase *script = ModApiBase::getScriptApiBase(L);
- const IGameDef *gamedef = script->getGameDef();
- if (!gamedef)
- return false;
- // Get mod name
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
- if (lua_isstring(L, -1)) {
- std::string mod_name = readParam<std::string>(L, -1);
- // Builtin can access anything
- if (mod_name == BUILTIN_MOD_NAME) {
- if (write_allowed) *write_allowed = true;
- return true;
- }
- // Allow paths in mod path
- // Don't bother if write access isn't important, since it will be handled later
- if (write_required || write_allowed != NULL) {
- const ModSpec *mod = gamedef->getModSpec(mod_name);
- if (mod) {
- str = fs::AbsolutePath(mod->path);
- if (!str.empty() && fs::PathStartsWith(abs_path, str)) {
- if (write_allowed) *write_allowed = true;
- return true;
- }
- }
- }
- }
- lua_pop(L, 1); // Pop mod name
- // Allow read-only access to game directory
- if (!write_required) {
- const SubgameSpec *game_spec = gamedef->getGameSpec();
- if (game_spec && !game_spec->path.empty()) {
- str = fs::AbsolutePath(game_spec->path);
- if (!str.empty() && fs::PathStartsWith(abs_path, str)) {
- return true;
- }
- }
- }
- // Allow read-only access to all mod directories
- if (!write_required) {
- const std::vector<ModSpec> &mods = gamedef->getMods();
- for (const ModSpec &mod : mods) {
- str = fs::AbsolutePath(mod.path);
- if (!str.empty() && fs::PathStartsWith(abs_path, str)) {
- return true;
- }
- }
- }
- str = fs::AbsolutePath(gamedef->getWorldPath());
- if (!str.empty()) {
- // Don't allow access to other paths in the world mod/game path.
- // These have to be blocked so you can't override a trusted mod
- // by creating a mod with the same name in a world mod directory.
- // We add to the absolute path of the world instead of getting
- // the absolute paths directly because that won't work if they
- // don't exist.
- if (fs::PathStartsWith(abs_path, str + DIR_DELIM + "worldmods") ||
- fs::PathStartsWith(abs_path, str + DIR_DELIM + "game")) {
- return false;
- }
- // Allow all other paths in world path
- if (fs::PathStartsWith(abs_path, str)) {
- if (write_allowed) *write_allowed = true;
- return true;
- }
- }
- // Default to disallowing
- return false;
- }
- bool ScriptApiSecurity::checkWhitelisted(lua_State *L, const std::string &setting)
- {
- assert(str_starts_with(setting, "secure."));
- // We have to make sure that this function is being called directly by
- // a mod, otherwise a malicious mod could override this function and
- // steal its return value.
- lua_Debug info;
- // Make sure there's only one item below this function on the stack...
- if (lua_getstack(L, 2, &info))
- return false;
- FATAL_ERROR_IF(!lua_getstack(L, 1, &info), "lua_getstack() failed");
- FATAL_ERROR_IF(!lua_getinfo(L, "S", &info), "lua_getinfo() failed");
- // ...and that that item is the main file scope.
- if (strcmp(info.what, "main") != 0)
- return false;
- // Mod must be listed in secure.http_mods or secure.trusted_mods
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
- if (!lua_isstring(L, -1))
- return false;
- std::string mod_name = readParam<std::string>(L, -1);
- std::string value = g_settings->get(setting);
- value.erase(std::remove(value.begin(), value.end(), ' '), value.end());
- auto mod_list = str_split(value, ',');
- return CONTAINS(mod_list, mod_name);
- }
- int ScriptApiSecurity::sl_g_dofile(lua_State *L)
- {
- int nret = sl_g_loadfile(L);
- if (nret != 1) {
- lua_error(L);
- // code after this function isn't executed
- }
- int top_precall = lua_gettop(L);
- lua_call(L, 0, LUA_MULTRET);
- // Return number of arguments returned by the function,
- // adjusting for the function being poped.
- return lua_gettop(L) - (top_precall - 1);
- }
- int ScriptApiSecurity::sl_g_load(lua_State *L)
- {
- size_t len;
- const char *buf;
- std::string code;
- const char *chunk_name = "=(load)";
- luaL_checktype(L, 1, LUA_TFUNCTION);
- if (!lua_isnone(L, 2)) {
- luaL_checktype(L, 2, LUA_TSTRING);
- chunk_name = lua_tostring(L, 2);
- }
- while (true) {
- lua_pushvalue(L, 1);
- lua_call(L, 0, 1);
- int t = lua_type(L, -1);
- if (t == LUA_TNIL) {
- break;
- }
- if (t != LUA_TSTRING) {
- lua_pushnil(L);
- lua_pushliteral(L, "Loader didn't return a string");
- return 2;
- }
- buf = lua_tolstring(L, -1, &len);
- code += std::string(buf, len);
- lua_pop(L, 1); // Pop return value
- }
- if (!safeLoadString(L, code, chunk_name)) {
- lua_pushnil(L);
- lua_insert(L, -2);
- return 2;
- }
- return 1;
- }
- int ScriptApiSecurity::sl_g_loadfile(lua_State *L)
- {
- #ifndef SERVER
- ScriptApiBase *script = ModApiBase::getScriptApiBase(L);
- // Client implementation
- if (script->getType() == ScriptingType::Client) {
- std::string path = readParam<std::string>(L, 1);
- const std::string *contents = script->getClient()->getModFile(path);
- if (!contents) {
- std::string error_msg = "Coudln't find script called: " + path;
- lua_pushnil(L);
- lua_pushstring(L, error_msg.c_str());
- return 2;
- }
- std::string chunk_name = "@" + path;
- if (!safeLoadString(L, *contents, chunk_name.c_str())) {
- lua_pushnil(L);
- lua_insert(L, -2);
- return 2;
- }
- return 1;
- }
- #endif
- // Server implementation
- const char *path = NULL;
- if (lua_isstring(L, 1)) {
- path = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
- }
- if (!safeLoadFile(L, path)) {
- lua_pushnil(L);
- lua_insert(L, -2);
- return 2;
- }
- return 1;
- }
- int ScriptApiSecurity::sl_g_loadstring(lua_State *L)
- {
- const char *chunk_name = "=(load)";
- luaL_checktype(L, 1, LUA_TSTRING);
- if (!lua_isnone(L, 2)) {
- luaL_checktype(L, 2, LUA_TSTRING);
- chunk_name = lua_tostring(L, 2);
- }
- size_t size;
- const char *code = lua_tolstring(L, 1, &size);
- std::string code_s(code, size);
- if (!safeLoadString(L, code_s, chunk_name)) {
- lua_pushnil(L);
- lua_insert(L, -2);
- return 2;
- }
- return 1;
- }
- int ScriptApiSecurity::sl_g_require(lua_State *L)
- {
- lua_pushliteral(L, "require() is disabled when mod security is on.");
- return lua_error(L);
- }
- int ScriptApiSecurity::sl_io_open(lua_State *L)
- {
- bool with_mode = lua_gettop(L) > 1;
- luaL_checktype(L, 1, LUA_TSTRING);
- const char *path = lua_tostring(L, 1);
- bool write_requested = false;
- if (with_mode) {
- luaL_checktype(L, 2, LUA_TSTRING);
- const char *mode = lua_tostring(L, 2);
- write_requested = strchr(mode, 'w') != NULL ||
- strchr(mode, '+') != NULL ||
- strchr(mode, 'a') != NULL;
- }
- CHECK_SECURE_PATH_INTERNAL(L, path, write_requested, NULL);
- push_original(L, "io", "open");
- lua_pushvalue(L, 1);
- if (with_mode) {
- lua_pushvalue(L, 2);
- }
- lua_call(L, with_mode ? 2 : 1, 2);
- return 2;
- }
- int ScriptApiSecurity::sl_io_input(lua_State *L)
- {
- if (lua_isstring(L, 1)) {
- const char *path = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
- }
- push_original(L, "io", "input");
- lua_pushvalue(L, 1);
- lua_call(L, 1, 1);
- return 1;
- }
- int ScriptApiSecurity::sl_io_output(lua_State *L)
- {
- if (lua_isstring(L, 1)) {
- const char *path = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL);
- }
- push_original(L, "io", "output");
- lua_pushvalue(L, 1);
- lua_call(L, 1, 1);
- return 1;
- }
- int ScriptApiSecurity::sl_io_lines(lua_State *L)
- {
- if (lua_isstring(L, 1)) {
- const char *path = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
- }
- int top_precall = lua_gettop(L);
- push_original(L, "io", "lines");
- lua_pushvalue(L, 1);
- lua_call(L, 1, LUA_MULTRET);
- // Return number of arguments returned by the function,
- // adjusting for the function being poped.
- return lua_gettop(L) - top_precall;
- }
- int ScriptApiSecurity::sl_os_rename(lua_State *L)
- {
- luaL_checktype(L, 1, LUA_TSTRING);
- const char *path1 = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path1, true, NULL);
- luaL_checktype(L, 2, LUA_TSTRING);
- const char *path2 = lua_tostring(L, 2);
- CHECK_SECURE_PATH_INTERNAL(L, path2, true, NULL);
- push_original(L, "os", "rename");
- lua_pushvalue(L, 1);
- lua_pushvalue(L, 2);
- lua_call(L, 2, 2);
- return 2;
- }
- int ScriptApiSecurity::sl_os_remove(lua_State *L)
- {
- luaL_checktype(L, 1, LUA_TSTRING);
- const char *path = lua_tostring(L, 1);
- CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL);
- push_original(L, "os", "remove");
- lua_pushvalue(L, 1);
- lua_call(L, 1, 2);
- return 2;
- }
- int ScriptApiSecurity::sl_os_setlocale(lua_State *L)
- {
- const bool cat = lua_gettop(L) > 1;
- // Don't allow changes
- if (!lua_isnoneornil(L, 1)) {
- lua_pushnil(L);
- return 1;
- }
- push_original(L, "os", "setlocale");
- lua_pushnil(L);
- if (cat)
- lua_pushvalue(L, 2);
- lua_call(L, cat ? 2 : 1, 1);
- return 1;
- }
|