From 917646fc9f75ab573d2b09429784dcc0940f8619 Mon Sep 17 00:00:00 2001 From: "Kartik K. Agaram" Date: Sat, 25 Dec 2021 10:52:48 -0800 Subject: sandbox: no popen Again, too difficult to sandbox for now. --- README.md | 1 + sandboxing/README.md | 2 +- src/liolib.c | 30 +----------------------------- src/luaconf.h | 28 ---------------------------- 4 files changed, 3 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index afc8271..26581d3 100644 --- a/README.md +++ b/README.md @@ -131,6 +131,7 @@ libraries. However, a few things are different from conventional Lua: * Some functions are disabled because I don't know how to sandbox them effectively: - `os.execute` + - `io.popen` * Some functions in lcurses have [additional smarts](https://github.com/lcurses/lcurses/blob/master/lib/curses.lua). Teliva is [consistent with the underlying ncurses](https://github.com/akkartik/teliva/blob/main/src/lcurses/curses.lua). diff --git a/sandboxing/README.md b/sandboxing/README.md index 341cd82..4218054 100644 --- a/sandboxing/README.md +++ b/sandboxing/README.md @@ -33,7 +33,7 @@ Scenarios: allows an app to do anything. Educate people to separate apps that read sensitive data from apps that access remote servers. - (2) solution: map phases within an app to distinct permission sets - * (3) app wants access to system() or exec() + * (3) app wants access to system() or exec() or popen() Difficulty levels 1. I have some sense of how to enforce this. diff --git a/src/liolib.c b/src/liolib.c index 649f9a5..04f102b 100644 --- a/src/liolib.c +++ b/src/liolib.c @@ -102,17 +102,6 @@ static int io_noclose (lua_State *L) { } -/* -** function to close 'popen' files -*/ -static int io_pclose (lua_State *L) { - FILE **p = tofilep(L); - int ok = lua_pclose(L, *p); - *p = NULL; - return pushresult(L, ok, NULL); -} - - /* ** function to close regular files */ @@ -167,19 +156,6 @@ static int io_open (lua_State *L) { } -/* -** this function has a separated environment, which defines the -** correct __close for 'popen' files -*/ -static int io_popen (lua_State *L) { - const char *filename = luaL_checkstring(L, 1); - const char *mode = luaL_optstring(L, 2, "r"); - FILE **pf = newfile(L); - *pf = lua_popen(L, filename, mode); - return (*pf == NULL) ? pushresult(L, 0, filename) : 1; -} - - static int io_tmpfile (lua_State *L) { FILE **pf = newfile(L); *pf = tmpfile(); @@ -484,7 +460,7 @@ static const luaL_Reg iolib[] = { {"lines", io_lines}, {"open", io_open}, {"output", io_output}, - {"popen", io_popen}, + /* no popen without sandboxing it */ {"read", io_read}, {"tmpfile", io_tmpfile}, {"type", io_type}, @@ -547,10 +523,6 @@ LUALIB_API int luaopen_io (lua_State *L) { createstdfile(L, stdout, IO_OUTPUT, "stdout"); createstdfile(L, stderr, 0, "stderr"); lua_pop(L, 1); /* pop environment for default files */ - lua_getfield(L, -1, "popen"); - newfenv(L, io_pclose); /* create environment for 'popen' */ - lua_setfenv(L, -2); /* set fenv for 'popen' */ - lua_pop(L, 1); /* pop 'popen' */ return 1; } diff --git a/src/luaconf.h b/src/luaconf.h index 4d295e6..44d6f55 100644 --- a/src/luaconf.h +++ b/src/luaconf.h @@ -620,34 +620,6 @@ extern int mkstemp(char *); #endif -/* -@@ lua_popen spawns a new process connected to the current one through -@* the file streams. -** CHANGE it if you have a way to implement it in your system. -*/ -#if defined(LUA_USE_POPEN) - -/* we have newer libraries even though the dialect is C99 */ -#include -extern FILE *popen(const char *, const char *); -extern int pclose(FILE *); - -#define lua_popen(L,c,m) ((void)L, fflush(NULL), popen(c,m)) -#define lua_pclose(L,file) ((void)L, (pclose(file) != -1)) - -#elif defined(LUA_WIN) - -#define lua_popen(L,c,m) ((void)L, _popen(c,m)) -#define lua_pclose(L,file) ((void)L, (_pclose(file) != -1)) - -#else - -#define lua_popen(L,c,m) ((void)((void)c, m), \ - luaL_error(L, LUA_QL("popen") " not supported"), (FILE*)0) -#define lua_pclose(L,file) ((void)((void)L, file), 0) - -#endif - /* @@ LUA_DL_* define which dynamic-library system Lua should use. ** CHANGE here if Lua has problems choosing the appropriate -- cgit 1.4.1-2-gfad0