On 19.03.2017 03:13, Kat Kioo wrote:
First I apologize for my bad spelling as I am on my phone.
Removing at compile time is relatively easy as you can just open
specific libraries when you create the state. In the case of io library
you could rewrite src/lib_io.c to remove what you dont need and put the
path checks in the c code itself.
For paths it is very tricky as it is os dependant. If the game is
windows only, call PathCanocalize and compare the path output to your
filters.
No problem. I guess editing the lua source directly is the best
approach. But as I said, want to keep things simple for now.
The game is Windows only and PathCanonicalize is surely good to know,
thanks.
On 19.03.2017 11:20, Sean Conner wrote:
> It was thus said that the Great David F once stated:
>> On 19/03/17 02:27 AM, Kat Kioo wrote:
>>
>>> In general you should just remove the functions at compile time
instead
>>> of removing at runtime in the vm. Another thing that you might
consider a
>>> security ossue is your makesafeph function. In general it is not
as simple
>>> as a few regex replaces.
>>
>> Not really sure how to imagine the first part. Sounds complicated.
>>
>> makeSafePath does not use regex. It checks for a relative path that
>> escapes its parent directory (".."), if it doesn't the user dir is
>> prefixed and the result returned. I tried finding out if there is
anything
>> else special going on with paths under windows, but the best I
could find
>> was a msdn article that didn't reveal anything new. When fed with an
>> absolute path the function should return an invalid path. I'll
probably do
>> check for that and just return nil.
>
> It looks like your running your code under Windows, which has a
several
> issues that Unix (Linux, Mac OS-X) does not have.
>
> First off, you don't check for drive letters at the start of the file
> name. Second, there are certain file names that should be checked
for and
> rejected [1], like CON (or con or con.txt or con.any_extension_really).
> Now, assuming a filename doesn't contain a drive letter or contains
a device
> name, if it starts with a '/' or a '\', it can be rejected for being
a full
> path:
>
> if pathname:match "^[\\/]" then error() end
>
> otherwise it's a relative name. You can break it apart on the path
> separator, looking at each segment and applying some logic. Here, I
> accumulate each segment (assuming a relative path without device
names and
> using a '/' for a path separator) in a table. For ".." (parent
directory) I
> remove the last recently added segment; for anything other than "."
I add it
> ("." is "current directory" and can be ignored):
>
> local function normalize(path)
> local acc = {}
> for segment in path:gmatch("[^/]+") do
> if segment == ".." then
> table.remove(acc)
> else if segment ~= "." then
> table.insert(acc,segment)
> end
> end
>
> return table.concat(acc,'/')
> end
>
> Trying it:
>
> print(normalize("../../../../../../../etc/passwd"))
> print(normalize(".././.././here/../be/../dragons"))
>
> etc/passwd
> dragons
>
> Then you can just prepend on the "root" directory.
>
> -spc
>
> [1]
https://support.microsoft.com/en-us/help/74496/ms-dos-device-driver-names-cannot-be-used-as-file-names
>
I like that function a lot, thanks. Totally forgot to ignore ".".
So I did my own version:
makeSafePath = function(path)
if type(path) ~= "string" then return nil end
path = path:gsub([[\]], "/")
if path:match("^[^/]+:") or path:match("^/") then
error("absolute path not allowed")
end
local segments = {}
for segment in path:gmatch("[^/]+") do
if segment == ".." then
table.remove(segments)
elseif segment ~= "." then
table.insert(segments, segment)
end
end
return sandbox.userDir .. table.concat(segments, '/')
end
I think that will do.
As for reserved file names, apparently windows just says "No" and does
not do anything. Good enough for me.
--David
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
