mirror
/
tile38
mirror of https://github.com/tidwall/tile38.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: set package module to nil in lua namespace; prevents calling loaders

This commit is contained in:
program-- 2022-11-09 13:50:43 -08:00
parent ab8e1cc202
commit 9a531a8945
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
internal/server/scripts.go
View File

@ -124,6 +124,9 @@ func (pl *lStatePool) New() *lua.LState {
}
}
// Set package module to Nil so loaders can't be accessed
L.SetGlobal("package", lua.LNil)
getArgs := func(ls *lua.LState) (evalCmd string, args []string) {
evalCmd = ls.GetGlobal("EVAL_CMD").String()

3
tests/scripts_test.go
View File

@ -71,6 +71,7 @@ func scripts_VULN_test(mc *mockServer) error {
{"EVAL", "return os.getenv", "0"}, {nil},
{"EVAL", "return os.clock", "0"}, {"ERR Unsupported lua type: function"},
{"EVAL", "return loadfile", "0"}, {nil},
{"EVAL", "return tonumber", "0"}, {"ERR Unsupported lua type: function"},
{"EVAL", "return tonumber(ARGV[1])", "0", "38"}, {"38"},
{"EVAL", "return package", "0"}, {nil},
})
}