Permalink
Browse files

Merge pull request #13 from neoxic/master

Security fixes - don't change key with lua_tostring while traversing tables
  • Loading branch information...
2 parents 629b687 + 57c53f9 commit 638a24518170f1994db015e4d83aba03ba888f8f @larubbio larubbio committed Apr 18, 2012
Showing with 24 additions and 23 deletions.
  1. +0 −4 mongo_dbclient.cpp
  2. +24 −19 utils.cpp
View
@@ -300,8 +300,6 @@ static int dbclient_query(lua_State *L) {
const BSONObj *fieldsToReturn = NULL;
if (!lua_isnoneornil(L, 6)) {
- fieldsToReturn = new BSONObj();
-
int type = lua_type(L, 6);
if (type == LUA_TSTRING) {
@@ -367,8 +365,6 @@ static int dbclient_find_one(lua_State *L) {
const BSONObj *fieldsToReturn = NULL;
if (!lua_isnoneornil(L, 4)) {
- fieldsToReturn = new BSONObj();
-
int type = lua_type(L, 4);
if (type == LUA_TSTRING) {
View
@@ -171,14 +171,17 @@ static void lua_append_bson(lua_State *L, const char *key, int stackpos, BSONObj
builder->appendArray(key, b.obj());
} else {
for (lua_pushnil(L); lua_next(L, stackpos); lua_pop(L, 1)) {
- if (lua_isnumber(L, -2)) {
- stringstream ss;
- ss << lua_tonumber(L, -2);
-
- lua_append_bson(L, ss.str().c_str(), -1, &b, ref);
- } else {
- const char *k = lua_tostring(L, -2);
- if (k) lua_append_bson(L, k, -1, &b, ref);
+ switch (lua_type(L, -2)) { // key type
+ case LUA_TNUMBER: {
+ stringstream ss;
+ ss << lua_tonumber(L, -2);
+ lua_append_bson(L, ss.str().c_str(), -1, &b, ref);
+ break;
+ }
+ case LUA_TSTRING: {
+ lua_append_bson(L, lua_tostring(L, -2), -1, &b, ref);
+ break;
+ }
}
}
@@ -274,18 +277,20 @@ void lua_to_bson(lua_State *L, int stackpos, BSONObj &obj) {
lua_newtable(L);
int ref = luaL_ref(L, LUA_REGISTRYINDEX);
- lua_pushnil(L);
- while (lua_next(L, stackpos) != 0) {
- if (lua_type(L, -2) == LUA_TNUMBER) {
- ostringstream ss;
- ss << lua_tonumber(L, -2);
- lua_append_bson(L, ss.str().c_str(), -1, &builder, ref);
- } else {
- const char *k = lua_tostring(L, -2);
- if (k) lua_append_bson(L, k, -1, &builder, ref);
- }
- lua_pop(L, 1);
+ for (lua_pushnil(L); lua_next(L, stackpos); lua_pop(L, 1)) {
+ switch (lua_type(L, -2)) { // key type
+ case LUA_TNUMBER: {
+ ostringstream ss;
+ ss << lua_tonumber(L, -2);
+ lua_append_bson(L, ss.str().c_str(), -1, &builder, ref);
+ break;
+ }
+ case LUA_TSTRING: {
+ lua_append_bson(L, lua_tostring(L, -2), -1, &builder, ref);
+ break;
+ }
+ }
}
luaL_unref(L, LUA_REGISTRYINDEX, ref);

0 comments on commit 638a245

Please sign in to comment.