Mercurial Hosting > luan
comparison core/src/luan/modules/IoLuan.java @ 277:8ac3eaf8ecd9
fix security
git-svn-id: https://luan-java.googlecode.com/svn/trunk@278 21e917c8-12df-6dd8-5cb6-c86387c605b9
author | fschmidt@gmail.com <fschmidt@gmail.com@21e917c8-12df-6dd8-5cb6-c86387c605b9> |
---|---|
date | Fri, 21 Nov 2014 05:39:46 +0000 |
parents | eb27e765affb |
children | a1fa4fba99de |
comparison
equal
deleted
inserted
replaced
276:e5a0dd95f3e7 | 277:8ac3eaf8ecd9 |
---|---|
348 public static final class LuanFile extends LuanIO { | 348 public static final class LuanFile extends LuanIO { |
349 private final File file; | 349 private final File file; |
350 | 350 |
351 private LuanFile(LuanState luan,File file) throws LuanException { | 351 private LuanFile(LuanState luan,File file) throws LuanException { |
352 this(file); | 352 this(file); |
353 check(luan,file.toString()); | 353 check(luan,"file",file.toString()); |
354 } | 354 } |
355 | 355 |
356 private LuanFile(File file) { | 356 private LuanFile(File file) { |
357 this.file = file; | 357 this.file = file; |
358 } | 358 } |
437 return null; | 437 return null; |
438 String path = name; | 438 String path = name; |
439 boolean isLoading = Boolean.TRUE.equals(loading); | 439 boolean isLoading = Boolean.TRUE.equals(loading); |
440 if( isLoading ) | 440 if( isLoading ) |
441 path += ".luan"; | 441 path += ".luan"; |
442 check(luan,"classpath",path); | |
442 URL url; | 443 URL url; |
443 if( !path.contains("#") ) { | 444 if( !path.contains("#") ) { |
444 url = ClassLoader.getSystemResource(path); | 445 url = ClassLoader.getSystemResource(path); |
445 } else { | 446 } else { |
446 String[] a = path.split("#"); | 447 String[] a = path.split("#"); |
464 | 465 |
465 // try java | 466 // try java |
466 if( !isLoading ) | 467 if( !isLoading ) |
467 return null; | 468 return null; |
468 String modName = name.replace('/','.') + "Luan.LOADER"; | 469 String modName = name.replace('/','.') + "Luan.LOADER"; |
470 // check(luan,"classpath",modName); | |
469 try { | 471 try { |
470 //System.out.println("modName = "+modName); | 472 //System.out.println("modName = "+modName); |
471 final LuanFunction fn = PackageLuan.load_lib(luan,modName); // throws exception if not found | 473 final LuanFunction fn = PackageLuan.load_lib(luan,modName); // throws exception if not found |
472 LuanFunction loader = new LuanFunction() { | 474 LuanFunction loader = new LuanFunction() { |
473 @Override public Object call(LuanState luan,Object[] args) { | 475 @Override public Object call(LuanState luan,Object[] args) { |
645 | 647 |
646 | 648 |
647 // security | 649 // security |
648 | 650 |
649 public interface Security { | 651 public interface Security { |
650 public void check(LuanState luan,String name) throws LuanException; | 652 public void check(LuanState luan,String scheme,String name) throws LuanException; |
651 } | 653 } |
652 | 654 |
653 private static String SECURITY_KEY = "Io.Security"; | 655 private static String SECURITY_KEY = "Io.Security"; |
654 | 656 |
655 private static void check(LuanState luan,String name) throws LuanException { | 657 private static void check(LuanState luan,String scheme,String name) throws LuanException { |
656 Security s = (Security)luan.registry().get(SECURITY_KEY); | 658 Security s = (Security)luan.registry().get(SECURITY_KEY); |
657 if( s!=null ) | 659 if( s!=null ) |
658 s.check(luan,name); | 660 s.check(luan,scheme,name); |
659 } | 661 } |
660 | 662 |
661 public static void setSecurity(LuanState luan,Security s) { | 663 public static void setSecurity(LuanState luan,Security s) { |
662 luan.registry().put(SECURITY_KEY,s); | 664 luan.registry().put(SECURITY_KEY,s); |
663 } | 665 } |
664 | 666 |
665 public static class DirSecurity implements Security { | |
666 private final String[] dirs; | |
667 | |
668 public DirSecurity(LuanState luan,String[] dirs) { | |
669 this.dirs = dirs; | |
670 } | |
671 | |
672 @Override public void check(LuanState luan,String name) throws LuanException { | |
673 if( name.contains("..") ) | |
674 throw luan.exception("Security violation - '"+name+"' contains '..'"); | |
675 for( String dir : dirs ) { | |
676 if( name.startsWith(dir) ) | |
677 return; | |
678 } | |
679 throw luan.exception("Security violation - '"+name+"' not in allowed directory"); | |
680 } | |
681 } | |
682 | |
683 | |
684 private void IoLuan() {} // never | 667 private void IoLuan() {} // never |
685 } | 668 } |