Block access to the io library

minetest · Mar 19, 2017 · 2e3778e · 2e3778e
1 parent f8ad01a
commit 2e3778e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 34 deletions.
diff --git a/builtin/common/misc_helpers.lua b/builtin/common/misc_helpers.lua
@@ -197,16 +197,17 @@ assert(table.indexof({"foo", "bar"}, "foo") == 1)
 assert(table.indexof({"foo", "bar"}, "baz") == -1)
 
 --------------------------------------------------------------------------------
-function file_exists(filename)
-	local f = io.open(filename, "r")
-	if f == nil then
-		return false
-	else
-		f:close()
-		return true
+if INIT ~= "client" then
+	function file_exists(filename)
+		local f = io.open(filename, "r")
+		if f == nil then
+			return false
+		else
+			f:close()
+			return true
+		end
 	end
 end
-
 --------------------------------------------------------------------------------
 function string:trim()
 	return (self:gsub("^%s*(.-)%s*$", "%1"))

diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
@@ -123,6 +123,7 @@ void ScriptApiSecurity::initializeSecurity()
 		"path",
 		"searchpath",
 	};
+#if USE_LUAJIT
 	static const char *jit_whitelist[] = {
 		"arch",
 		"flush",
@@ -134,7 +135,7 @@ void ScriptApiSecurity::initializeSecurity()
 		"version",
 		"version_num",
 	};
-
+#endif
 	m_secure = true;
 
 	lua_State *L = getStack();
@@ -245,13 +246,6 @@ void ScriptApiSecurity::initializeSecurityClient()
 		"table",
 		"math",
 	};
-	static const char *io_whitelist[] = {
-		"close",
-		"flush",
-		"read",
-		"type",
-		"write",
-	};
 	static const char *os_whitelist[] = {
 		"clock",
 		"date",
@@ -263,6 +257,7 @@ void ScriptApiSecurity::initializeSecurityClient()
 		"getinfo",
 	};
 
+#if USE_LUAJIT
 	static const char *jit_whitelist[] = {
 		"arch",
 		"flush",
@@ -274,6 +269,7 @@ void ScriptApiSecurity::initializeSecurityClient()
 		"version",
 		"version_num",
 	};
+#endif
 
 	m_secure = true;
 
@@ -294,20 +290,6 @@ void ScriptApiSecurity::initializeSecurityClient()
 	lua_pop(L, 1);
 
 
-	// Copy safe IO functions
-	lua_getfield(L, old_globals, "io");
-	lua_newtable(L);
-	copy_safe(L, io_whitelist, sizeof(io_whitelist));
-
-	// And replace unsafe ones
-	SECURE_API(io, open);
-	SECURE_API(io, input);
-	SECURE_API(io, output);
-	SECURE_API(io, lines);
-
-	lua_setglobal(L, "io");
-	lua_pop(L, 1);  // Pop old IO
-
 
 	// Copy safe OS functions
 	lua_getfield(L, old_globals, "os");
@@ -324,10 +306,6 @@ void ScriptApiSecurity::initializeSecurityClient()
 	lua_setglobal(L, "debug");
 	lua_pop(L, 1);  // Pop old debug
 
-	// Remove all of package
-	lua_newtable(L);
-	lua_setglobal(L, "package");
-
 #if USE_LUAJIT
 	// Copy safe jit functions, if they exist
 	lua_getfield(L, -1, "jit");