stjr/Kart-Public
0
0
Fork 0
mirror of https://git.do.srb2.org/KartKrew/Kart-Public.git synced 2024-12-28 13:21:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Block the use of ../ and ..\\

Browse source 
...and remove io.popen(), cause that shit is DANGEROUS.
This commit is contained in:
wolfy852 2016-01-17 01:37:19 -06:00
parent eb7c36d72c
commit c9fe83b95d
1 changed files with 5 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
src/blua/liolib.c
View file

@ -160,6 +160,11 @@ static int io_tostring (lua_State *L) {
static int io_open (lua_State *L) { static int io_open (lua_State *L) {
const char *filename = luaL_checkstring(L, 1); const char *filename = luaL_checkstring(L, 1);
if (strstr(filename, "../") || strstr(filename, "..\\"))
{
luaL_error(L,"access denied to %s", filename);
return pushresult(L,0,filename);
}
const char *mode = luaL_optstring(L, 2, "r"); const char *mode = luaL_optstring(L, 2, "r");
FILE **pf = newfile(L); FILE **pf = newfile(L);
*pf = fopen(filename, mode); *pf = fopen(filename, mode);
@ -167,19 +172,6 @@ static int io_open (lua_State *L) {
} }
/*
** this function has a separated environment, which defines the
** correct __close for 'popen' files
*/
static int io_popen (lua_State *L) {
const char *filename = luaL_checkstring(L, 1);
const char *mode = luaL_optstring(L, 2, "r");
FILE **pf = newfile(L);
*pf = lua_popen(L, filename, mode);
return (*pf == NULL) ? pushresult(L, 0, filename) : 1;
}
static int io_tmpfile (lua_State *L) { static int io_tmpfile (lua_State *L) {
FILE **pf = newfile(L); FILE **pf = newfile(L);
*pf = tmpfile(); *pf = tmpfile();
@ -481,7 +473,6 @@ static const luaL_Reg iolib[] = {
{"lines", io_lines}, {"lines", io_lines},
{"open", io_open}, {"open", io_open},
{"output", io_output}, {"output", io_output},
{"popen", io_popen},
{"read", io_read}, {"read", io_read},
{"tmpfile", io_tmpfile}, {"tmpfile", io_tmpfile},
{"type", io_type}, {"type", io_type},