Skip to content
Browse files

Allow string.find in plain mode.

The fourth parameter of string.find indicates whether the second parameter should be interpreted literally (true) or as a pattern (false). Allowing patterns enables DoS attacks, but it's possible to allow literal matching with little effort, by disallowing the function only if the fourth parameter (plain mode) is not `true`.
  • Loading branch information
Pedro Gimeno authored and Jeija committed Mar 25, 2016
1 parent 72e513e commit 01004f8343614aab50459a4423607117b3eb3820
Showing with 12 additions and 0 deletions.
  1. +12 −0 mesecons_luacontroller/init.lua
@@ -216,6 +216,17 @@ local function safe_string_rep(str, n)
return string.rep(str, n)

-- string.find with a pattern can be used to DoS the server.
-- Therefore, limit string.find to patternless matching.
local function safe_string_find(...)
if (select(4, ...)) ~= true then
debug.sethook() -- Clear hook
error("string.find: 'plain' (fourth parameter) must always be true in a LuaController")

return string.find(...)

local function remove_functions(x)
local tp = type(x)
if tp == "table" then
@@ -292,6 +303,7 @@ local function create_environment(pos, mem, event)
rep = safe_string_rep,
reverse = string.reverse,
sub = string.sub,
find = safe_string_find,
math = {
abs = math.abs,

0 comments on commit 01004f8

Please sign in to comment.
You can’t perform that action at this time.