From c9fe83b95daa3189465049e53c058bdfa1ce51b4 Mon Sep 17 00:00:00 2001
From: wolfy852 <wolfy852@hotmail.com>
Date: Sun, 17 Jan 2016 01:37:19 -0600
Subject: [PATCH] Block the use of ../ and ..\\

...and remove io.popen(), cause that shit is DANGEROUS.
---
 src/blua/liolib.c | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/src/blua/liolib.c b/src/blua/liolib.c
index e79ed1cb..5c48add7 100644
--- a/src/blua/liolib.c
+++ b/src/blua/liolib.c
@@ -160,6 +160,11 @@ static int io_tostring (lua_State *L) {
 
 static int io_open (lua_State *L) {
   const char *filename = luaL_checkstring(L, 1);
+  if (strstr(filename, "../") || strstr(filename, "..\\"))
+  {
+	luaL_error(L,"access denied to %s", filename);
+	return pushresult(L,0,filename);
+  }
   const char *mode = luaL_optstring(L, 2, "r");
   FILE **pf = newfile(L);
   *pf = fopen(filename, mode);
@@ -167,19 +172,6 @@ static int io_open (lua_State *L) {
 }
 
 
-/*
-** this function has a separated environment, which defines the
-** correct __close for 'popen' files
-*/
-static int io_popen (lua_State *L) {
-  const char *filename = luaL_checkstring(L, 1);
-  const char *mode = luaL_optstring(L, 2, "r");
-  FILE **pf = newfile(L);
-  *pf = lua_popen(L, filename, mode);
-  return (*pf == NULL) ? pushresult(L, 0, filename) : 1;
-}
-
-
 static int io_tmpfile (lua_State *L) {
   FILE **pf = newfile(L);
   *pf = tmpfile();
@@ -481,7 +473,6 @@ static const luaL_Reg iolib[] = {
   {"lines", io_lines},
   {"open", io_open},
   {"output", io_output},
-  {"popen", io_popen},
   {"read", io_read},
   {"tmpfile", io_tmpfile},
   {"type", io_type},