Skip to content
Snippets Groups Projects
Commit 5579fb52 authored by wolfs's avatar wolfs
Browse files

Limit file creation/manipulation to luafiles subfolder 

Also block % in filename strings
parent de03db99
No related branches found
No related tags found
1 merge request!200Lua Input/Output library
Hide whitespace changes
Inline Side-by-side
Showing
with 7 additions and 1 deletion
src/blua/liolib.c
+ 7
1
View file @ 5579fb52
...@@ -17,6 +17,9 @@ ...@@ -17,6 +17,9 @@
#include "lauxlib.h" #include "lauxlib.h"
#include "lualib.h" #include "lualib.h"
#include "../i_system.h"
#include "../doomdef.h"
#include "../m_misc.h"
...@@ -173,11 +176,14 @@ static int io_open (lua_State *L) { ...@@ -173,11 +176,14 @@ static int io_open (lua_State *L) {
} }
} }
if (strstr(filename, "..") || strchr(filename, ':') || StartsWith(filename, "\\") if (strstr(filename, "..") || strchr(filename, ':') || StartsWith(filename, "\\")
|| StartsWith(filename, "/") || !pass) || StartsWith(filename, "/") || strchr(filename, '%') || !pass)
{ {
luaL_error(L,"access denied to %s", filename); luaL_error(L,"access denied to %s", filename);
return pushresult(L,0,filename); return pushresult(L,0,filename);
} }
I_mkdir("luafiles", 0755);
char* destFilename = va("luafiles"PATHSEP"%s", filename);
filename = destFilename;
const char *mode = luaL_optstring(L, 2, "r"); const char *mode = luaL_optstring(L, 2, "r");
FILE **pf = newfile(L); FILE **pf = newfile(L);
*pf = fopen(filename, mode); *pf = fopen(filename, mode);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment