lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 19.03.2017 03:13, Kat Kioo wrote:
First I apologize for my bad spelling as I am on my phone.
Removing at compile time is relatively easy as you can just open
specific libraries when you create the state. In the case of io library
you could rewrite src/lib_io.c to remove what you dont need and put the
path checks in the c code itself.

For paths it is very tricky as it is os dependant. If the game is
windows only, call PathCanocalize and compare the path output to your

No problem. I guess editing the lua source directly is the best
approach. But as I said, want to keep things simple for now.
The game is Windows only and PathCanonicalize is surely good to know,

On 19.03.2017 11:20, Sean Conner wrote:
> It was thus said that the Great David F once stated:
>> On 19/03/17 02:27 AM, Kat Kioo wrote:
>>> In general you should just remove the functions at compile time instead
>>> of removing at runtime in the vm. Another thing that you might
consider a
>>> security ossue is your makesafeph function. In general it is not as
>>> as a few regex replaces.
>> Not really sure how to imagine the first part. Sounds complicated.
>> makeSafePath does not use regex. It checks for a relative path that
>> escapes its parent directory (".."), if it doesn't the user dir is
>> prefixed and the result returned. I tried finding out if there is
>> else special going on with paths under windows, but the best I could
>> was a msdn article that didn't reveal anything new. When fed with an
>> absolute path the function should return an invalid path. I'll
probably do
>> check for that and just return nil.
>   It looks like your running your code under Windows, which has a several
> issues that Unix (Linux, Mac OS-X) does not have.
>   First off, you don't check for drive letters at the start of the file
> name.  Second, there are certain file names that should be checked
for and
> rejected [1], like CON (or con or con.txt or con.any_extension_really).
> Now, assuming a filename doesn't contain a drive letter or contains a
> name, if it starts with a '/' or a '\', it can be rejected for being
a full
> path:
> 	if pathname:match "^[\\/]" then error() end
> otherwise it's a relative name.  You can break it apart on the path
> separator, looking at each segment and applying some logic.  Here, I
> accumulate each segment (assuming a relative path without device
names and
> using a '/' for a path separator) in a table.  For ".." (parent
directory) I
> remove the last recently added segment; for anything other than "." I
add it
> ("." is "current directory" and can be ignored):
> 	local function normalize(path)
> 	  local acc = {}
> 	  for segment in path:gmatch("[^/]+") do
> 	    if segment == ".." then
> 	      table.remove(acc)
> 	    else if segment ~= "." then
> 	      table.insert(acc,segment)
> 	    end
> 	  end
> 	  return table.concat(acc,'/')
> 	end
> Trying it:
> 	print(normalize("../../../../../../../etc/passwd"))
> 	print(normalize(".././.././here/../be/../dragons"))
> 	etc/passwd
> 	dragons
> Then you can just prepend on the "root" directory.
>   -spc
> [1]

I like that function a lot, thanks. Totally forgot to ignore ".".
So I did my own version:

	makeSafePath = function(path)
		if type(path) ~= "string" then return nil end
		path = path:gsub([[\]], "/")

		if path:match("^[^/]+:") or path:match("^/") then
			error("absolute path not allowed")

		local segments = {}
		for segment in path:gmatch("[^/]+") do
			if segment == ".." then
			elseif segment ~= "." then
				table.insert(segments, segment)

		return sandbox.userDir .. table.concat(segments, '/')

I think that will do.
As for reserved file names, apparently windows just says "No" and does
not do anything. Good enough for me.

Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.