disallow loading lua bytecode via load/dofile (cve-2018-1999023)

commiting rhondas patch from debian
wesnoth · Dec 24, 2018 · e764257 · e764257
1 parent eabce7e
commit e764257
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/src/ai/lua/core.cpp b/src/ai/lua/core.cpp
@@ -913,7 +913,7 @@ static void generate_and_push_ai_table(lua_State* L, ai::engine_lua* engine) {
 
 lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engine_lua *engine)
 {
-	int res_ai = luaL_loadstring(L, code);//stack size is now 1 [ -1: ai_context]
+	int res_ai = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t"); // [-1: AI code]
 	if (res_ai)
 	{
 
@@ -943,7 +943,7 @@ lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engin
 
 lua_ai_action_handler* lua_ai_action_handler::create(lua_State *L, char const *code, lua_ai_context &context)
 {
-	int res = luaL_loadstring(L, code);//stack size is now 1 [ -1: f]
+	int res = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t");//stack size is now 1 [ -1: f]
 	if (res)
 	{
 		char const *m = lua_tostring(L, -1);

diff --git a/src/lua/lbaselib.cpp b/src/lua/lbaselib.cpp
@@ -310,16 +310,17 @@ static int luaB_load (lua_State *L) {
   size_t l;
   const char *s = lua_tolstring(L, 1, &l);
   const char *mode = luaL_optstring(L, 3, "bt");
+  (void) mode;
   int env = (!lua_isnone(L, 4) ? 4 : 0);  /* 'env' index or 0 if no 'env' */
   if (s != NULL) {  /* loading a string? */
     const char *chunkname = luaL_optstring(L, 2, s);
-    status = luaL_loadbufferx(L, s, l, chunkname, mode);
+    status = luaL_loadbufferx(L, s, l, chunkname, "t");
   }
   else {  /* loading from a reader function */
     const char *chunkname = luaL_optstring(L, 2, "=(load)");
     luaL_checktype(L, 1, LUA_TFUNCTION);
     lua_settop(L, RESERVEDSLOT);  /* create reserved slot */
-    status = lua_load(L, generic_reader, NULL, chunkname, mode);
+    status = lua_load(L, generic_reader, NULL, chunkname, "t");
   }
   return load_aux(L, status, env);
 }

diff --git a/src/scripting/lua.cpp b/src/scripting/lua.cpp
@@ -1052,7 +1052,7 @@ class lua_filestream
 		//lua uses '@' to know that this is a file (as opposed to a something as opposed to something loaded via loadstring )
 		std::string chunkname = '@' + fname;
 		LOG_LUA << "starting to read from " << fname << "\n";
-		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), NULL);
+		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), "t");
 	}
 private:
 	char buff_[LUAL_BUFFERSIZE];
@@ -4239,7 +4239,9 @@ bool LuaKernel::execute(char const *prog, int nArgs, int nRets)
 	lua_State *L = mState;
 
 	// Compile script into a variadic function.
-	int res = luaL_loadstring(L, prog);
+	// pass 't' to prevent loading bytecode which is unsafe and can be used to escape the sandbox.
+	// todo: maybe allow a 'name' parameter to give better error messages.
+	int res = luaL_loadbufferx(L, prog, strlen(prog), /*name*/ prog, "t");
 	if (res)
 	{
 		char const *m = lua_tostring(L, -1);