Skip to content
Permalink
Browse files

Require minetest.request_http_api to be called from the mod's main scope

Fixes #3764
  • Loading branch information
Jeija authored and est31 committed Mar 3, 2016
1 parent 7bcbc01 commit 1100a5d614c2eaf8e1c4f3adbc70b477e01a405c
Showing with 20 additions and 3 deletions.
  1. +1 −1 doc/lua_api.txt
  2. +19 −2 src/script/lua_api/l_http.cpp
@@ -2337,7 +2337,7 @@ These functions return the leftover itemstack.
otherwise returns `nil`.
* The returned table contains the functions `fetch`, `fetch_async` and `fetch_async_get`
described below.
* Only works at init time.
* Only works at init time and must be called from the mod's main scope (not from a function).
* Function only exists if minetest server was built with cURL support.
* **DO NOT ALLOW ANY OTHER MODS TO ACCESS THE RETURNED TABLE, STORE IT IN
A LOCAL VARIABLE!**
@@ -23,6 +23,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
#include "lua_api/l_http.h"
#include "httpfetch.h"
#include "settings.h"
#include "debug.h"
#include "log.h"

#include <algorithm>
@@ -130,11 +131,27 @@ int ModApiHttp::l_request_http_api(lua_State *L)
{
NO_MAP_LOCK_REQUIRED;

// We have to make sure that this function is being called directly by
// a mod, otherwise a malicious mod could override this function and
// steal its return value.
lua_Debug info;

// Make sure there's only one item below this function on the stack...
if (lua_getstack(L, 2, &info)) {
return 0;
}
FATAL_ERROR_IF(!lua_getstack(L, 1, &info), "lua_getstack() failed");
FATAL_ERROR_IF(!lua_getinfo(L, "S", &info), "lua_getinfo() failed");

// ...and that that item is the main file scope.
if (strcmp(info.what, "main") != 0) {
return 0;
}

// Mod must be listed in secure.http_mods or secure.trusted_mods
lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
if (!lua_isstring(L, -1)) {
lua_pushnil(L);
return 1;
return 0;
}

const char *mod_name = lua_tostring(L, -1);

0 comments on commit 1100a5d

Please sign in to comment.