New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CSM] Improve security #5100
[CSM] Improve security #5100
Conversation
@sapier is this correct for you ? |
"date", | ||
"difftime", | ||
"time", | ||
"setlocale", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just remove it here instead of setting it to nil in init.lua
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's used by bultin.
"setlocale", | ||
}; | ||
static const char *debug_whitelist[] = { | ||
"getinfo", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
combined with the other changed this effectively disables the debug
library, why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ask @sapier
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually debug code provides a lot of information about internal things.
e.g. some of the debug functions provide access to local variables of other functions.
As debug usually ain't used by anything productive disabling it completely is the savest way to get rid of those issues. Of course you could check each debug fct on it's own but I assume if you remove all potentially unsave ones debug wouldn't be usefull anyway ;-)
"math", | ||
}; | ||
static const char *io_whitelist[] = { | ||
"close", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
client side lua should not be able to read the filesystem at all, apart dofile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in fact, reading FS okay, but only in selected places. Client side mode can have logs, or local data (for example imagine pure client side notes, like a journal)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logs
Should use an api feature for this
local data
Should use a virtual filesystem similar to HTML5's webstorage/localstorage
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree to rubenwardy. Deciding which path to access is quite hard if you consider the corner cases. If you limit to a single mod specific folder you're basically imitating a virtual filesystem. If not you risk missing some critical parts. e.g. /tmp usually is fine for local applications but there's a lot of data stored in /tmp you don't want someone from outside your machine to access.
SECURE_API(g, dofile); | ||
SECURE_API(g, loadstring); | ||
SECURE_API(g, require); | ||
lua_pop(L, 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check if these save functions are save enough for clientside
SECURE_API(io, input); | ||
SECURE_API(io, output); | ||
SECURE_API(io, lines); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check if these save functions are save enough for clientside same her especially for open
The jit part should check |
1bea2cd
to
fad8ff5
Compare
b4aaca4
to
635507c
Compare
can you rebase @red-001 ? |
fad8ff5
to
1c2bce5
Compare
Lacking description. |
No description provided.