Update of bug #15624 (project freeciv):

                  Status:             In Progress => Ready For Test         

    _______________________________________________________

Follow-up Comment #10:

This solution is easy and less complex/less lines of code, which makes it
easy to choose. This solution is also very easily applied to the 2.1 branch.
(Less code than in 2.2 or later due to how Lua 5.1 removed the public
functions to load libraries one by one).

------

Subject: [PATCH] Make impossible to access operating system from Lua scripts

For security reasons, Lua scripts should not be able to read files or
run programs on the host computer; freeciv scenarios should only be
able to influence the state of the game, not the state of the server
process or computer (except through normal scenario events, such as
end of game).

For this reason, we do not load some standard lua libraries that allow
access to files or the operating system. We also disallow loading lua
libraries so that the script cannot go around this restriction.

This is the 2.2 and trunk version (Lua 5.1): we exclude the io
library, os library, and blacklist functions dofile, loadfile.

For Lua 5.1, the list of modules and functions we consider unsafe are:

  "os",
  "io",
  "package",
  "dofile",
  "loadfile",
  "loadlib",
  "module",
  "require"

These are all unavailable by not being loaded or being explicitly blocked.


(file #8635, file #8636)
    _______________________________________________________

Additional Item Attachment:

File name: 0001-Make-impossible-to-access-operating-system-from-Lua-.patch
Size:3 KB
File name: 0001-Make-impossible-to-access-operating-system-2_1.patch Size:8
KB


    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?15624>

_______________________________________________
  Meddelandet skickades via/av Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to