added pol.cfg setting to disallow environment variable access

polserver · Dec 28, 2020 · 84c6b1b · 84c6b1b
1 parent bae244a
commit 84c6b1b
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 3 deletions.
diff --git a/docs/docs.polserver.com/pol100/configfiles.xml b/docs/docs.polserver.com/pol100/configfiles.xml
@@ -13,7 +13,7 @@
       <list>elipsis ... : repeat entries are allowed.</list>
       <bottom>This means the punctuation in these cases should NOT be in the actual config files used by POL, they only appear here for information purposes. Exception: curly braces { } are used to define an element in a config file. These must be present in the actual file.</bottom>
     </desc>
-    <datemodified>01/01/2019</datemodified>
+    <datemodified>12/28/2020</datemodified>
 </fileheader>
 
 
@@ -961,6 +961,7 @@ PidFilePath=(where POL will write its .pid file {default ./})
 [ShowWarningGump=(1/0 {default 1})]
 [ShowWarningItem=(1/0 {default 1})]
 [ShowWarningCursorSequence=(1/0 {default 1})]
+[AllowEnvironmentVariableAccess=(1/0 {default 1})]
 </structure>
     <explain>Your own pol.cfg should give descriptions on most of these. I'll describe them here if people want me to.</explain>
     <explain>UoDataFileRoot: Directory where Ultima Online client files are located. Used by UOConvert.exe to find map, multi, tiledata, statics, etc. files.

diff --git a/docs/docs.polserver.com/pol100/corechanges.xml b/docs/docs.polserver.com/pol100/corechanges.xml
@@ -2,9 +2,14 @@
 <ESCRIPT>
 	<header>
 		<topic>Latest Core Changes</topic>
-		<datemodified>12-26-2020</datemodified>
+		<datemodified>12-28-2020</datemodified>
 	</header>
 	<version name="POL100">
+		<entry>
+			<date>12-28-2020</date>
+			<author>Turley:</author>
+			<change type="Added">pol.cfg AllowEnvironmentVariableAccess disable this setting to disallow execution of os::GetEnvironmentVariable</change>
+		</entry>
 		<entry>
 			<date>12-26-2020</date>
 			<author>Turley:</author>

diff --git a/docs/docs.polserver.com/pol100/osem.xml b/docs/docs.polserver.com/pol100/osem.xml
@@ -288,6 +288,8 @@ Example: create a POST request to a REST endpoint with custom header:
   <prototype>GetEnvironmentVariable(name:="")</prototype>
     <parameter name="name" value="String name of environment variable, or empty string" />
     <return>String value of given enviroment variable, or if no name is given Dictionary{String, String}</return>
-    <explain>Returns the value of given environment variable, or if no name is given it returns a dictionary with all environment variables</explain>
+    <explain>Returns the value of given environment variable, or if no name is given it returns a dictionary with all environment variables.</explain>
+    <explain>pol.cfg AllowEnvironmentVariableAccess setting can disallow this function.</explain>
+    <relatedcfg>pol.cfg</relatedcfg>
 </function>
 </ESCRIPT>
diff --git a/pol-core/doc/core-changes.txt b/pol-core/doc/core-changes.txt
@@ -1,4 +1,6 @@
 -- POL100 --
+12-28-2020 Turley:
+    Added: pol.cfg AllowEnvironmentVariableAccess disable this setting to disallow execution of os::GetEnvironmentVariable
 12-26-2020 Turley:
     Added: os::GetEnvironmentVariable(name:="")
            returns String value of given environment variable name

diff --git a/pol-core/pol/module/osmod.cpp b/pol-core/pol/module/osmod.cpp
@@ -1195,6 +1195,8 @@ BObjectImp* OSExecutorModule::mf_LoadExportedScript()
 
 BObjectImp* OSExecutorModule::mf_GetEnvironmentVariable()
 {
+  if ( !Plib::systemstate.config.environmentvariable_access )
+    return new BError( "Environment Variable access disallowed due to pol.cfg setting" );
   const String* env_name;
   if ( !exec.getStringParam( 0, env_name ) )
     return new BError( "Invalid parameter type" );

diff --git a/pol-core/pol/polcfg.cpp b/pol-core/pol/polcfg.cpp
@@ -279,6 +279,9 @@ void PolConfig::read_pol_config( bool initial_load )
 
   Plib::systemstate.config.debug_level = elem.remove_ushort( "DebugLevel", 0 );
 
+  Plib::systemstate.config.environmentvariable_access =
+      elem.remove_bool( "AllowEnvironmentVariableAccess", true );
+
   /// The profiler needs to gather some data before the pol.cfg file gets loaded, so when it
   /// turns out to be disabled, or when it was enabled before, but is being disabled now,
   /// run "garbage collection" to free the allocated resources

diff --git a/pol-core/pol/polcfg.h b/pol-core/pol/polcfg.h
@@ -111,6 +111,8 @@ struct PolConfig
   std::string report_server;
   std::string report_url;
 
+  bool environmentvariable_access;
+
   static void read_pol_config( bool initial_load );
   static struct stat pol_cfg_stat;
   static void reload_pol_cfg();

diff --git a/pol-core/support/pol.cfg.example b/pol-core/support/pol.cfg.example
@@ -489,6 +489,13 @@ MaxObjtype=0xFFFFFFFF
 #
 #DiscardOldEvents=0
 
+# 
+# AllowEnvironmentVariableAccess 1/0
+# Enable/Disable os::GetEnvironmentVariable module function
+# Default is 1
+#
+#AllowEnvironmentVariableAccess=1
+
 #############################################################################
 ## Experimental Options - Modify at your own risk
 #############################################################################