You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

820 lines
21 KiB

  1. /*
  2. Minetest
  3. Copyright (C) 2013 celeron55, Perttu Ahola <celeron55@gmail.com>
  4. This program is free software; you can redistribute it and/or modify
  5. it under the terms of the GNU Lesser General Public License as published by
  6. the Free Software Foundation; either version 2.1 of the License, or
  7. (at your option) any later version.
  8. This program is distributed in the hope that it will be useful,
  9. but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. GNU Lesser General Public License for more details.
  12. You should have received a copy of the GNU Lesser General Public License along
  13. with this program; if not, write to the Free Software Foundation, Inc.,
  14. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  15. */
  16. #include "cpp_api/s_security.h"
  17. #include "filesys.h"
  18. #include "porting.h"
  19. #include "server.h"
  20. #include "client.h"
  21. #include "settings.h"
  22. #include <cerrno>
  23. #include <string>
  24. #include <iostream>
  25. #define SECURE_API(lib, name) \
  26. lua_pushcfunction(L, sl_##lib##_##name); \
  27. lua_setfield(L, -2, #name);
  28. static inline void copy_safe(lua_State *L, const char *list[], unsigned len, int from=-2, int to=-1)
  29. {
  30. if (from < 0) from = lua_gettop(L) + from + 1;
  31. if (to < 0) to = lua_gettop(L) + to + 1;
  32. for (unsigned i = 0; i < (len / sizeof(list[0])); i++) {
  33. lua_getfield(L, from, list[i]);
  34. lua_setfield(L, to, list[i]);
  35. }
  36. }
  37. // Pushes the original version of a library function on the stack, from the old version
  38. static inline void push_original(lua_State *L, const char *lib, const char *func)
  39. {
  40. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
  41. lua_getfield(L, -1, lib);
  42. lua_remove(L, -2); // Remove globals_backup
  43. lua_getfield(L, -1, func);
  44. lua_remove(L, -2); // Remove lib
  45. }
  46. void ScriptApiSecurity::initializeSecurity()
  47. {
  48. static const char *whitelist[] = {
  49. "assert",
  50. "core",
  51. "collectgarbage",
  52. "DIR_DELIM",
  53. "error",
  54. "getfenv",
  55. "getmetatable",
  56. "ipairs",
  57. "next",
  58. "pairs",
  59. "pcall",
  60. "print",
  61. "rawequal",
  62. "rawget",
  63. "rawset",
  64. "select",
  65. "setfenv",
  66. "setmetatable",
  67. "tonumber",
  68. "tostring",
  69. "type",
  70. "unpack",
  71. "_VERSION",
  72. "xpcall",
  73. // Completely safe libraries
  74. "coroutine",
  75. "string",
  76. "table",
  77. "math",
  78. };
  79. static const char *io_whitelist[] = {
  80. "close",
  81. "flush",
  82. "read",
  83. "type",
  84. "write",
  85. };
  86. static const char *os_whitelist[] = {
  87. "clock",
  88. "date",
  89. "difftime",
  90. "getenv",
  91. "setlocale",
  92. "time",
  93. "tmpname",
  94. };
  95. static const char *debug_whitelist[] = {
  96. "gethook",
  97. "traceback",
  98. "getinfo",
  99. "getmetatable",
  100. "setupvalue",
  101. "setmetatable",
  102. "upvalueid",
  103. "upvaluejoin",
  104. "sethook",
  105. "debug",
  106. "setlocal",
  107. };
  108. static const char *package_whitelist[] = {
  109. "config",
  110. "cpath",
  111. "path",
  112. "searchpath",
  113. };
  114. #if USE_LUAJIT
  115. static const char *jit_whitelist[] = {
  116. "arch",
  117. "flush",
  118. "off",
  119. "on",
  120. "opt",
  121. "os",
  122. "status",
  123. "version",
  124. "version_num",
  125. };
  126. #endif
  127. m_secure = true;
  128. lua_State *L = getStack();
  129. // Backup globals to the registry
  130. lua_getglobal(L, "_G");
  131. lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
  132. // Replace the global environment with an empty one
  133. int thread = getThread(L);
  134. createEmptyEnv(L);
  135. setLuaEnv(L, thread);
  136. // Get old globals
  137. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
  138. int old_globals = lua_gettop(L);
  139. // Copy safe base functions
  140. lua_getglobal(L, "_G");
  141. copy_safe(L, whitelist, sizeof(whitelist));
  142. // And replace unsafe ones
  143. SECURE_API(g, dofile);
  144. SECURE_API(g, load);
  145. SECURE_API(g, loadfile);
  146. SECURE_API(g, loadstring);
  147. SECURE_API(g, require);
  148. lua_pop(L, 1);
  149. // Copy safe IO functions
  150. lua_getfield(L, old_globals, "io");
  151. lua_newtable(L);
  152. copy_safe(L, io_whitelist, sizeof(io_whitelist));
  153. // And replace unsafe ones
  154. SECURE_API(io, open);
  155. SECURE_API(io, input);
  156. SECURE_API(io, output);
  157. SECURE_API(io, lines);
  158. lua_setglobal(L, "io");
  159. lua_pop(L, 1); // Pop old IO
  160. // Copy safe OS functions
  161. lua_getfield(L, old_globals, "os");
  162. lua_newtable(L);
  163. copy_safe(L, os_whitelist, sizeof(os_whitelist));
  164. // And replace unsafe ones
  165. SECURE_API(os, remove);
  166. SECURE_API(os, rename);
  167. lua_setglobal(L, "os");
  168. lua_pop(L, 1); // Pop old OS
  169. // Copy safe debug functions
  170. lua_getfield(L, old_globals, "debug");
  171. lua_newtable(L);
  172. copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
  173. lua_setglobal(L, "debug");
  174. lua_pop(L, 1); // Pop old debug
  175. // Copy safe package fields
  176. lua_getfield(L, old_globals, "package");
  177. lua_newtable(L);
  178. copy_safe(L, package_whitelist, sizeof(package_whitelist));
  179. lua_setglobal(L, "package");
  180. lua_pop(L, 1); // Pop old package
  181. #if USE_LUAJIT
  182. // Copy safe jit functions, if they exist
  183. lua_getfield(L, -1, "jit");
  184. if (!lua_isnil(L, -1)) {
  185. lua_newtable(L);
  186. copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
  187. lua_setglobal(L, "jit");
  188. }
  189. lua_pop(L, 1); // Pop old jit
  190. #endif
  191. lua_pop(L, 1); // Pop globals_backup
  192. }
  193. void ScriptApiSecurity::initializeSecurityClient()
  194. {
  195. static const char *whitelist[] = {
  196. "assert",
  197. "core",
  198. "collectgarbage",
  199. "DIR_DELIM",
  200. "error",
  201. "getfenv",
  202. "ipairs",
  203. "next",
  204. "pairs",
  205. "pcall",
  206. "print",
  207. "rawequal",
  208. "rawget",
  209. "rawset",
  210. "select",
  211. "setfenv",
  212. // getmetatable can be used to escape the sandbox
  213. "setmetatable",
  214. "tonumber",
  215. "tostring",
  216. "type",
  217. "unpack",
  218. "_VERSION",
  219. "xpcall",
  220. // Completely safe libraries
  221. "coroutine",
  222. "string",
  223. "table",
  224. "math",
  225. };
  226. static const char *os_whitelist[] = {
  227. "clock",
  228. "date",
  229. "difftime",
  230. "time",
  231. "setlocale",
  232. };
  233. static const char *debug_whitelist[] = {
  234. "getinfo",
  235. };
  236. #if USE_LUAJIT
  237. static const char *jit_whitelist[] = {
  238. "arch",
  239. "flush",
  240. "off",
  241. "on",
  242. "opt",
  243. "os",
  244. "status",
  245. "version",
  246. "version_num",
  247. };
  248. #endif
  249. m_secure = true;
  250. lua_State *L = getStack();
  251. int thread = getThread(L);
  252. // create an empty environment
  253. createEmptyEnv(L);
  254. // Copy safe base functions
  255. lua_getglobal(L, "_G");
  256. lua_getfield(L, -2, "_G");
  257. copy_safe(L, whitelist, sizeof(whitelist));
  258. // And replace unsafe ones
  259. SECURE_API(g, dofile);
  260. SECURE_API(g, load);
  261. SECURE_API(g, loadfile);
  262. SECURE_API(g, loadstring);
  263. SECURE_API(g, require);
  264. lua_pop(L, 2);
  265. // Copy safe OS functions
  266. lua_getglobal(L, "os");
  267. lua_newtable(L);
  268. copy_safe(L, os_whitelist, sizeof(os_whitelist));
  269. lua_setfield(L, -3, "os");
  270. lua_pop(L, 1); // Pop old OS
  271. // Copy safe debug functions
  272. lua_getglobal(L, "debug");
  273. lua_newtable(L);
  274. copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
  275. lua_setfield(L, -3, "debug");
  276. lua_pop(L, 1); // Pop old debug
  277. #if USE_LUAJIT
  278. // Copy safe jit functions, if they exist
  279. lua_getglobal(L, "jit");
  280. lua_newtable(L);
  281. copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
  282. lua_setfield(L, -3, "jit");
  283. lua_pop(L, 1); // Pop old jit
  284. #endif
  285. // Set the environment to the one we created earlier
  286. setLuaEnv(L, thread);
  287. }
  288. int ScriptApiSecurity::getThread(lua_State *L)
  289. {
  290. #if LUA_VERSION_NUM <= 501
  291. int is_main = lua_pushthread(L); // Push the main thread
  292. FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state "
  293. "isn't the main Lua thread!");
  294. return lua_gettop(L);
  295. #endif
  296. return 0;
  297. }
  298. void ScriptApiSecurity::createEmptyEnv(lua_State *L)
  299. {
  300. lua_newtable(L); // Create new environment
  301. lua_pushvalue(L, -1);
  302. lua_setfield(L, -2, "_G"); // Create the _G loop
  303. }
  304. void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
  305. {
  306. #if LUA_VERSION_NUM >= 502 // Lua >= 5.2
  307. // Set the global environment
  308. lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS);
  309. #else // Lua <= 5.1
  310. // Set the environment of the main thread
  311. FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set "
  312. "environment of the main Lua thread!");
  313. lua_pop(L, 1); // Pop thread
  314. #endif
  315. }
  316. bool ScriptApiSecurity::isSecure(lua_State *L)
  317. {
  318. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
  319. bool secure = !lua_isnil(L, -1);
  320. lua_pop(L, 1);
  321. return secure;
  322. }
  323. #define CHECK_FILE_ERR(ret, fp) \
  324. if (ret) { \
  325. lua_pushfstring(L, "%s: %s", path, strerror(errno)); \
  326. if (fp) std::fclose(fp); \
  327. return false; \
  328. }
  329. bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name)
  330. {
  331. FILE *fp;
  332. char *chunk_name;
  333. if (!display_name)
  334. display_name = path;
  335. if (!path) {
  336. fp = stdin;
  337. chunk_name = const_cast<char *>("=stdin");
  338. } else {
  339. fp = fopen(path, "rb");
  340. if (!fp) {
  341. lua_pushfstring(L, "%s: %s", path, strerror(errno));
  342. return false;
  343. }
  344. chunk_name = new char[strlen(display_name) + 2];
  345. chunk_name[0] = '@';
  346. chunk_name[1] = '\0';
  347. strcat(chunk_name, display_name);
  348. }
  349. size_t start = 0;
  350. int c = std::getc(fp);
  351. if (c == '#') {
  352. // Skip the first line
  353. while ((c = std::getc(fp)) != EOF && c != '\n');
  354. if (c == '\n') c = std::getc(fp);
  355. start = std::ftell(fp);
  356. }
  357. if (c == LUA_SIGNATURE[0]) {
  358. lua_pushliteral(L, "Bytecode prohibited when mod security is enabled.");
  359. std::fclose(fp);
  360. if (path) {
  361. delete [] chunk_name;
  362. }
  363. return false;
  364. }
  365. // Read the file
  366. int ret = std::fseek(fp, 0, SEEK_END);
  367. if (ret) {
  368. lua_pushfstring(L, "%s: %s", path, strerror(errno));
  369. std::fclose(fp);
  370. if (path) {
  371. delete [] chunk_name;
  372. }
  373. return false;
  374. }
  375. size_t size = std::ftell(fp) - start;
  376. char *code = new char[size];
  377. ret = std::fseek(fp, start, SEEK_SET);
  378. if (ret) {
  379. lua_pushfstring(L, "%s: %s", path, strerror(errno));
  380. std::fclose(fp);
  381. delete [] code;
  382. if (path) {
  383. delete [] chunk_name;
  384. }
  385. return false;
  386. }
  387. size_t num_read = std::fread(code, 1, size, fp);
  388. if (path) {
  389. std::fclose(fp);
  390. }
  391. if (num_read != size) {
  392. lua_pushliteral(L, "Error reading file to load.");
  393. delete [] code;
  394. if (path) {
  395. delete [] chunk_name;
  396. }
  397. return false;
  398. }
  399. if (luaL_loadbuffer(L, code, size, chunk_name)) {
  400. delete [] code;
  401. return false;
  402. }
  403. delete [] code;
  404. if (path) {
  405. delete [] chunk_name;
  406. }
  407. return true;
  408. }
  409. bool ScriptApiSecurity::checkPath(lua_State *L, const char *path,
  410. bool write_required, bool *write_allowed)
  411. {
  412. if (write_allowed)
  413. *write_allowed = false;
  414. std::string str; // Transient
  415. std::string abs_path = fs::AbsolutePath(path);
  416. if (!abs_path.empty()) {
  417. // Don't allow accessing the settings file
  418. str = fs::AbsolutePath(g_settings_path);
  419. if (str == abs_path) return false;
  420. }
  421. // If we couldn't find the absolute path (path doesn't exist) then
  422. // try removing the last components until it works (to allow
  423. // non-existent files/folders for mkdir).
  424. std::string cur_path = path;
  425. std::string removed;
  426. while (abs_path.empty() && !cur_path.empty()) {
  427. std::string component;
  428. cur_path = fs::RemoveLastPathComponent(cur_path, &component);
  429. if (component == "..") {
  430. // Parent components can't be allowed or we could allow something like
  431. // /home/user/minetest/worlds/foo/noexist/../../../../../../etc/passwd.
  432. // If we have previous non-relative elements in the path we might be
  433. // able to remove them so that things like worlds/foo/noexist/../auth.txt
  434. // could be allowed, but those paths will be interpreted as nonexistent
  435. // by the operating system anyways.
  436. return false;
  437. }
  438. removed = component + (removed.empty() ? "" : DIR_DELIM + removed);
  439. abs_path = fs::AbsolutePath(cur_path);
  440. }
  441. if (abs_path.empty())
  442. return false;
  443. // Add the removed parts back so that you can't, eg, create a
  444. // directory in worldmods if worldmods doesn't exist.
  445. if (!removed.empty())
  446. abs_path += DIR_DELIM + removed;
  447. // Get server from registry
  448. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
  449. ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1);
  450. lua_pop(L, 1);
  451. const IGameDef *gamedef = script->getGameDef();
  452. if (!gamedef)
  453. return false;
  454. // Get mod name
  455. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
  456. if (lua_isstring(L, -1)) {
  457. std::string mod_name = readParam<std::string>(L, -1);
  458. // Builtin can access anything
  459. if (mod_name == BUILTIN_MOD_NAME) {
  460. if (write_allowed) *write_allowed = true;
  461. return true;
  462. }
  463. // Allow paths in mod path
  464. // Don't bother if write access isn't important, since it will be handled later
  465. if (write_required || write_allowed != NULL) {
  466. const ModSpec *mod = gamedef->getModSpec(mod_name);
  467. if (mod) {
  468. str = fs::AbsolutePath(mod->path);
  469. if (!str.empty() && fs::PathStartsWith(abs_path, str)) {
  470. if (write_allowed) *write_allowed = true;
  471. return true;
  472. }
  473. }
  474. }
  475. }
  476. lua_pop(L, 1); // Pop mod name
  477. // Allow read-only access to all mod directories
  478. if (!write_required) {
  479. const std::vector<ModSpec> mods = gamedef->getMods();
  480. for (size_t i = 0; i < mods.size(); ++i) {
  481. str = fs::AbsolutePath(mods[i].path);
  482. if (!str.empty() && fs::PathStartsWith(abs_path, str)) {
  483. return true;
  484. }
  485. }
  486. }
  487. str = fs::AbsolutePath(gamedef->getWorldPath());
  488. if (!str.empty()) {
  489. // Don't allow access to other paths in the world mod/game path.
  490. // These have to be blocked so you can't override a trusted mod
  491. // by creating a mod with the same name in a world mod directory.
  492. // We add to the absolute path of the world instead of getting
  493. // the absolute paths directly because that won't work if they
  494. // don't exist.
  495. if (fs::PathStartsWith(abs_path, str + DIR_DELIM + "worldmods") ||
  496. fs::PathStartsWith(abs_path, str + DIR_DELIM + "game")) {
  497. return false;
  498. }
  499. // Allow all other paths in world path
  500. if (fs::PathStartsWith(abs_path, str)) {
  501. if (write_allowed) *write_allowed = true;
  502. return true;
  503. }
  504. }
  505. // Default to disallowing
  506. return false;
  507. }
  508. int ScriptApiSecurity::sl_g_dofile(lua_State *L)
  509. {
  510. int nret = sl_g_loadfile(L);
  511. if (nret != 1) {
  512. lua_error(L);
  513. // code after this function isn't executed
  514. }
  515. int top_precall = lua_gettop(L);
  516. lua_call(L, 0, LUA_MULTRET);
  517. // Return number of arguments returned by the function,
  518. // adjusting for the function being poped.
  519. return lua_gettop(L) - (top_precall - 1);
  520. }
  521. int ScriptApiSecurity::sl_g_load(lua_State *L)
  522. {
  523. size_t len;
  524. const char *buf;
  525. std::string code;
  526. const char *chunk_name = "=(load)";
  527. luaL_checktype(L, 1, LUA_TFUNCTION);
  528. if (!lua_isnone(L, 2)) {
  529. luaL_checktype(L, 2, LUA_TSTRING);
  530. chunk_name = lua_tostring(L, 2);
  531. }
  532. while (true) {
  533. lua_pushvalue(L, 1);
  534. lua_call(L, 0, 1);
  535. int t = lua_type(L, -1);
  536. if (t == LUA_TNIL) {
  537. break;
  538. } else if (t != LUA_TSTRING) {
  539. lua_pushnil(L);
  540. lua_pushliteral(L, "Loader didn't return a string");
  541. return 2;
  542. }
  543. buf = lua_tolstring(L, -1, &len);
  544. code += std::string(buf, len);
  545. lua_pop(L, 1); // Pop return value
  546. }
  547. if (code[0] == LUA_SIGNATURE[0]) {
  548. lua_pushnil(L);
  549. lua_pushliteral(L, "Bytecode prohibited when mod security is enabled.");
  550. return 2;
  551. }
  552. if (luaL_loadbuffer(L, code.data(), code.size(), chunk_name)) {
  553. lua_pushnil(L);
  554. lua_insert(L, lua_gettop(L) - 1);
  555. return 2;
  556. }
  557. return 1;
  558. }
  559. int ScriptApiSecurity::sl_g_loadfile(lua_State *L)
  560. {
  561. #ifndef SERVER
  562. lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
  563. ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1);
  564. lua_pop(L, 1);
  565. if (script->getType() == ScriptingType::Client) {
  566. std::string display_path = readParam<std::string>(L, 1);
  567. const std::string *path = script->getClient()->getModFile(display_path);
  568. if (!path) {
  569. std::string error_msg = "Coudln't find script called:" + display_path;
  570. lua_pushnil(L);
  571. lua_pushstring(L, error_msg.c_str());
  572. return 2;
  573. }
  574. if (!safeLoadFile(L, path->c_str(), display_path.c_str())) {
  575. lua_pushnil(L);
  576. lua_insert(L, -2);
  577. return 2;
  578. }
  579. return 1;
  580. }
  581. #endif
  582. const char *path = NULL;
  583. if (lua_isstring(L, 1)) {
  584. path = lua_tostring(L, 1);
  585. CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
  586. }
  587. if (!safeLoadFile(L, path)) {
  588. lua_pushnil(L);
  589. lua_insert(L, -2);
  590. return 2;
  591. }
  592. return 1;
  593. }
  594. int ScriptApiSecurity::sl_g_loadstring(lua_State *L)
  595. {
  596. const char *chunk_name = "=(load)";
  597. luaL_checktype(L, 1, LUA_TSTRING);
  598. if (!lua_isnone(L, 2)) {
  599. luaL_checktype(L, 2, LUA_TSTRING);
  600. chunk_name = lua_tostring(L, 2);
  601. }
  602. size_t size;
  603. const char *code = lua_tolstring(L, 1, &size);
  604. if (size > 0 && code[0] == LUA_SIGNATURE[0]) {
  605. lua_pushnil(L);
  606. lua_pushliteral(L, "Bytecode prohibited when mod security is enabled.");
  607. return 2;
  608. }
  609. if (luaL_loadbuffer(L, code, size, chunk_name)) {
  610. lua_pushnil(L);
  611. lua_insert(L, lua_gettop(L) - 1);
  612. return 2;
  613. }
  614. return 1;
  615. }
  616. int ScriptApiSecurity::sl_g_require(lua_State *L)
  617. {
  618. lua_pushliteral(L, "require() is disabled when mod security is on.");
  619. return lua_error(L);
  620. }
  621. int ScriptApiSecurity::sl_io_open(lua_State *L)
  622. {
  623. bool with_mode = lua_gettop(L) > 1;
  624. luaL_checktype(L, 1, LUA_TSTRING);
  625. const char *path = lua_tostring(L, 1);
  626. bool write_requested = false;
  627. if (with_mode) {
  628. luaL_checktype(L, 2, LUA_TSTRING);
  629. const char *mode = lua_tostring(L, 2);
  630. write_requested = strchr(mode, 'w') != NULL ||
  631. strchr(mode, '+') != NULL ||
  632. strchr(mode, 'a') != NULL;
  633. }
  634. CHECK_SECURE_PATH_INTERNAL(L, path, write_requested, NULL);
  635. push_original(L, "io", "open");
  636. lua_pushvalue(L, 1);
  637. if (with_mode) {
  638. lua_pushvalue(L, 2);
  639. }
  640. lua_call(L, with_mode ? 2 : 1, 2);
  641. return 2;
  642. }
  643. int ScriptApiSecurity::sl_io_input(lua_State *L)
  644. {
  645. if (lua_isstring(L, 1)) {
  646. const char *path = lua_tostring(L, 1);
  647. CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
  648. }
  649. push_original(L, "io", "input");
  650. lua_pushvalue(L, 1);
  651. lua_call(L, 1, 1);
  652. return 1;
  653. }
  654. int ScriptApiSecurity::sl_io_output(lua_State *L)
  655. {
  656. if (lua_isstring(L, 1)) {
  657. const char *path = lua_tostring(L, 1);
  658. CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL);
  659. }
  660. push_original(L, "io", "output");
  661. lua_pushvalue(L, 1);
  662. lua_call(L, 1, 1);
  663. return 1;
  664. }
  665. int ScriptApiSecurity::sl_io_lines(lua_State *L)
  666. {
  667. if (lua_isstring(L, 1)) {
  668. const char *path = lua_tostring(L, 1);
  669. CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
  670. }
  671. int top_precall = lua_gettop(L);
  672. push_original(L, "io", "lines");
  673. lua_pushvalue(L, 1);
  674. lua_call(L, 1, LUA_MULTRET);
  675. // Return number of arguments returned by the function,
  676. // adjusting for the function being poped.
  677. return lua_gettop(L) - top_precall;
  678. }
  679. int ScriptApiSecurity::sl_os_rename(lua_State *L)
  680. {
  681. luaL_checktype(L, 1, LUA_TSTRING);
  682. const char *path1 = lua_tostring(L, 1);
  683. CHECK_SECURE_PATH_INTERNAL(L, path1, true, NULL);
  684. luaL_checktype(L, 2, LUA_TSTRING);
  685. const char *path2 = lua_tostring(L, 2);
  686. CHECK_SECURE_PATH_INTERNAL(L, path2, true, NULL);
  687. push_original(L, "os", "rename");
  688. lua_pushvalue(L, 1);
  689. lua_pushvalue(L, 2);
  690. lua_call(L, 2, 2);
  691. return 2;
  692. }
  693. int ScriptApiSecurity::sl_os_remove(lua_State *L)
  694. {
  695. luaL_checktype(L, 1, LUA_TSTRING);
  696. const char *path = lua_tostring(L, 1);
  697. CHECK_SECURE_PATH_INTERNAL(L, path, true, NULL);
  698. push_original(L, "os", "remove");
  699. lua_pushvalue(L, 1);
  700. lua_call(L, 1, 2);
  701. return 2;
  702. }