[MediaWiki-CVS] SVN: [114952] trunk/php/luasandbox/library.c

Tue, 17 Apr 2012 20:05:51 -0700 

https://www.mediawiki.org/wiki/Special:Code/MediaWiki/114952

Revision: 114952
Author:   tstarling
Date:     2012-04-18 03:05:39 +0000 (Wed, 18 Apr 2012)
Log Message:
-----------
Allow unrestricted setfenv() and getfenv(). Module isolation is more easily 
handled in Lua code.

Modified Paths:
--------------
    trunk/php/luasandbox/library.c

Modified: trunk/php/luasandbox/library.c
===================================================================
--- trunk/php/luasandbox/library.c      2012-04-18 00:37:58 UTC (rev 114951)
+++ trunk/php/luasandbox/library.c      2012-04-18 03:05:39 UTC (rev 114952)
@@ -23,7 +23,6 @@
 static int luasandbox_math_randomseed(lua_State * L);
 static int luasandbox_base_pcall(lua_State * L);
 static int luasandbox_base_xpcall(lua_State *L);
-static int luasandbox_base_setfenv(lua_State *L);
 
 /**
  * Allowed global variables. Omissions are:
@@ -37,7 +36,6 @@
  *   * tostring: Provides addresses of tables and functions, which provides an 
  *     easy ASLR workaround or heap address discovery mechanism for a memory 
  *     corruption exploit. We have our own version.
- *   * getfenv, setfenv: Can be used to break module isolation.
  *   * Any new or undocumented functions like newproxy.
  *   * package: cpath, loadlib etc. are insecure.
  *   * coroutine: Not useful for our application so unreviewed at present.
@@ -49,6 +47,7 @@
        // base
        "assert",
        "error",
+       "getfenv",
        "getmetatable",
        "ipairs",
        "next",
@@ -57,6 +56,7 @@
        "rawget",
        "rawset",
        "select",
+       "setfenv",
        "setmetatable",
        "tonumber",
        "type",
@@ -107,15 +107,13 @@
                }
        }
 
-       // Install our own versions of tostring, pcall, xpcall, setfenv
+       // Install our own versions of tostring, pcall, xpcall
        lua_pushcfunction(L, luasandbox_base_tostring);
        lua_setglobal(L, "tostring");
        lua_pushcfunction(L, luasandbox_base_pcall);
        lua_setglobal(L, "pcall");
        lua_pushcfunction(L, luasandbox_base_xpcall);
        lua_setglobal(L, "xpcall");
-       lua_pushcfunction(L, luasandbox_base_setfenv);
-       lua_setglobal(L, "setfenv");
 
        // Remove string.dump: may expose private data
        lua_getglobal(L, "string");
@@ -350,18 +348,3 @@
 }
 /* }}} */
 
-/* {{{ luasandbox_base_setfenv
- *
- * A setfenv() implementation that does not allow integer keys for the first
- * argument.
- */
-static int luasandbox_base_setfenv(lua_State *L)
-{
-       luaL_checktype(L, 2, LUA_TTABLE);
-       lua_pushvalue(L, 2);
-       if (!lua_isfunction(L, 1) || lua_iscfunction(L, 1) || lua_setfenv(L, 1) 
== 0) {
-               luaL_error(L, "'setfenv' cannot change environment of given 
object");   
-       }
-       return 1;
-}
-/* }}} */


_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to