thirdpartymirrors/RingRacers
1
0
Fork 0
mirror of https://github.com/KartKrewDev/RingRacers.git synced 2025-10-30 08:01:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement file type whitelist, completely remove popen and pclose

Browse source 
This is probably super inefficient. Someone please teach me how2C.
This commit is contained in:
wolfy852 2016-01-20 02:26:15 -06:00
parent c9fe83b95d
commit a68e92690f
1 changed files with 27 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
src/blua/liolib.c
View file

@ -25,6 +25,13 @@
static const char *const fnames[] = {"input", "output"}; static const char *const fnames[] = {"input", "output"};
static const char *whitelist[] = { // Allow scripters to write files of these types to SRB2's folder
".txt",
".sav2",
".cfg",
".png",
".bmp"
};
static int pushresult (lua_State *L, int i, const char *filename) { static int pushresult (lua_State *L, int i, const char *filename) {
@ -102,17 +109,6 @@ static int io_noclose (lua_State *L) {
} }
/*
** function to close 'popen' files
*/
static int io_pclose (lua_State *L) {
FILE **p = tofilep(L);
int ok = lua_pclose(L, *p);
*p = NULL;
return pushresult(L, ok, NULL);
}
/* /*
** function to close regular files ** function to close regular files
*/ */
@ -159,16 +155,26 @@ static int io_tostring (lua_State *L) {
static int io_open (lua_State *L) { static int io_open (lua_State *L) {
const char *filename = luaL_checkstring(L, 1); const char *filename = luaL_checkstring(L, 1);
if (strstr(filename, "../") || strstr(filename, "..\\")) int pass = 0; int i;
{ int length = strlen(filename) - 1;
luaL_error(L,"access denied to %s", filename); for (i = 0; i < 5; i++) // wolfs == noobcoder, so manually change this with any added file types
return pushresult(L,0,filename); {
} if (!stricmp(&filename[length - (strlen(whitelist[i]) - 1)], whitelist[i]))
const char *mode = luaL_optstring(L, 2, "r"); {
FILE **pf = newfile(L); pass = 1;
*pf = fopen(filename, mode); break;
return (*pf == NULL) ? pushresult(L, 0, filename) : 1; }
}
if (strstr(filename, "../") || strstr(filename, "..\\") || !pass)
{
luaL_error(L,"access denied to %s", filename);
return pushresult(L,0,filename);
}
const char *mode = luaL_optstring(L, 2, "r");
FILE **pf = newfile(L);
*pf = fopen(filename, mode);
return (*pf == NULL) ? pushresult(L, 0, filename) : 1;
} }
@ -535,10 +541,6 @@ LUALIB_API int luaopen_io (lua_State *L) {
createstdfile(L, stdout, IO_OUTPUT, "stdout"); createstdfile(L, stdout, IO_OUTPUT, "stdout");
createstdfile(L, stderr, 0, "stderr"); createstdfile(L, stderr, 0, "stderr");
lua_pop(L, 1); /* pop environment for default files */ lua_pop(L, 1); /* pop environment for default files */
lua_getfield(L, -1, "popen");
newfenv(L, io_pclose); /* create environment for 'popen' */
lua_setfenv(L, -2); /* set fenv for 'popen' */
lua_pop(L, 1); /* pop 'popen' */
return 1; return 1;
} }