Project

General

Profile

Bug #693065

'/read' is allowed to execute '/lua unsafe-*' but can come from a mod pack

Added by Sveinung Kvilhaugsvik almost 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Server
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Jacob Nevins wrote in Feature #692001:

It looks like '/read' is allowed to execute '/lua unsafe-file' etc.

Since rulesets are generally distributed with a .serv script, we should probably restrict what '/read' can do, even if executed from console / with 'hack' access. (In another ticket)


Related issues

Blocks Freeciv - Task #673656: S3_1 datafile format freeze (d3f)New

History

#1 Updated by Marko Lindqvist over 2 years ago

  • Blocks Task #656466: S3_0 datafile format freeze (d3f) added

#2 Updated by Marko Lindqvist over 2 years ago

Are 'lua unsafe-*' commands needed at S3_0 at all? The reasoning for their inclusion was running some tests that I think we run for master only.

If they are not needed in S3_0, I would prefer not to try to resolve their problems in that branch, but to revert them completely.

#3 Updated by Sveinung Kvilhaugsvik over 2 years ago

Marko Lindqvist wrote:

Are 'lua unsafe-*' commands needed at S3_0 at all? The reasoning for their inclusion was running some tests that I think we run for master only.

They are useful when running the "did I break a ruleset?" test (./tests/rulesets_not_broken.sh) manually. This makes their usefulness depend on the number of future ruleset format changes to 3.0 where the developer plans to use rulesets_not_broken.sh to verify that a ruleset weren't accidentally broken.

This isn't an objection to removing them from S3_0.

#4 Updated by Marko Lindqvist over 1 year ago

  • Category set to Server
  • Target version changed from 3.0.0 to 3.1.0

lua-unsafe-* patches reverted from S3_0. That's Feature #692021, Feature #692310, and Feature #692001

#5 Updated by Marko Lindqvist over 1 year ago

  • Blocks Task #673656: S3_1 datafile format freeze (d3f) added

#6 Updated by Marko Lindqvist over 1 year ago

  • Blocks deleted (Task #656466: S3_0 datafile format freeze (d3f))

#7 Updated by Marko Lindqvist over 1 year ago

Attached patch disallows execution of 'lua unsafe' and 'lua unsafe-file' when commands are read from a recursion level greater than 0 (i.e. at least one level of '/read')

#8 Updated by Marko Lindqvist over 1 year ago

  • Status changed from Resolved to Closed
  • Assignee set to Marko Lindqvist

Also available in: Atom PDF