Mercurial Hosting > luan
comparison core/src/luan/modules/IoLuan.java @ 277:8ac3eaf8ecd9
fix security
git-svn-id: https://luan-java.googlecode.com/svn/trunk@278 21e917c8-12df-6dd8-5cb6-c86387c605b9
| author | fschmidt@gmail.com <fschmidt@gmail.com@21e917c8-12df-6dd8-5cb6-c86387c605b9> |
|---|---|
| date | Fri, 21 Nov 2014 05:39:46 +0000 |
| parents | eb27e765affb |
| children | a1fa4fba99de |
comparison
equal
deleted
inserted
replaced
| 276:e5a0dd95f3e7 | 277:8ac3eaf8ecd9 |
|---|---|
| 348 public static final class LuanFile extends LuanIO { | 348 public static final class LuanFile extends LuanIO { |
| 349 private final File file; | 349 private final File file; |
| 350 | 350 |
| 351 private LuanFile(LuanState luan,File file) throws LuanException { | 351 private LuanFile(LuanState luan,File file) throws LuanException { |
| 352 this(file); | 352 this(file); |
| 353 check(luan,file.toString()); | 353 check(luan,"file",file.toString()); |
| 354 } | 354 } |
| 355 | 355 |
| 356 private LuanFile(File file) { | 356 private LuanFile(File file) { |
| 357 this.file = file; | 357 this.file = file; |
| 358 } | 358 } |
| 437 return null; | 437 return null; |
| 438 String path = name; | 438 String path = name; |
| 439 boolean isLoading = Boolean.TRUE.equals(loading); | 439 boolean isLoading = Boolean.TRUE.equals(loading); |
| 440 if( isLoading ) | 440 if( isLoading ) |
| 441 path += ".luan"; | 441 path += ".luan"; |
| 442 check(luan,"classpath",path); | |
| 442 URL url; | 443 URL url; |
| 443 if( !path.contains("#") ) { | 444 if( !path.contains("#") ) { |
| 444 url = ClassLoader.getSystemResource(path); | 445 url = ClassLoader.getSystemResource(path); |
| 445 } else { | 446 } else { |
| 446 String[] a = path.split("#"); | 447 String[] a = path.split("#"); |
| 464 | 465 |
| 465 // try java | 466 // try java |
| 466 if( !isLoading ) | 467 if( !isLoading ) |
| 467 return null; | 468 return null; |
| 468 String modName = name.replace('/','.') + "Luan.LOADER"; | 469 String modName = name.replace('/','.') + "Luan.LOADER"; |
| 470 // check(luan,"classpath",modName); | |
| 469 try { | 471 try { |
| 470 //System.out.println("modName = "+modName); | 472 //System.out.println("modName = "+modName); |
| 471 final LuanFunction fn = PackageLuan.load_lib(luan,modName); // throws exception if not found | 473 final LuanFunction fn = PackageLuan.load_lib(luan,modName); // throws exception if not found |
| 472 LuanFunction loader = new LuanFunction() { | 474 LuanFunction loader = new LuanFunction() { |
| 473 @Override public Object call(LuanState luan,Object[] args) { | 475 @Override public Object call(LuanState luan,Object[] args) { |
| 645 | 647 |
| 646 | 648 |
| 647 // security | 649 // security |
| 648 | 650 |
| 649 public interface Security { | 651 public interface Security { |
| 650 public void check(LuanState luan,String name) throws LuanException; | 652 public void check(LuanState luan,String scheme,String name) throws LuanException; |
| 651 } | 653 } |
| 652 | 654 |
| 653 private static String SECURITY_KEY = "Io.Security"; | 655 private static String SECURITY_KEY = "Io.Security"; |
| 654 | 656 |
| 655 private static void check(LuanState luan,String name) throws LuanException { | 657 private static void check(LuanState luan,String scheme,String name) throws LuanException { |
| 656 Security s = (Security)luan.registry().get(SECURITY_KEY); | 658 Security s = (Security)luan.registry().get(SECURITY_KEY); |
| 657 if( s!=null ) | 659 if( s!=null ) |
| 658 s.check(luan,name); | 660 s.check(luan,scheme,name); |
| 659 } | 661 } |
| 660 | 662 |
| 661 public static void setSecurity(LuanState luan,Security s) { | 663 public static void setSecurity(LuanState luan,Security s) { |
| 662 luan.registry().put(SECURITY_KEY,s); | 664 luan.registry().put(SECURITY_KEY,s); |
| 663 } | 665 } |
| 664 | 666 |
| 665 public static class DirSecurity implements Security { | |
| 666 private final String[] dirs; | |
| 667 | |
| 668 public DirSecurity(LuanState luan,String[] dirs) { | |
| 669 this.dirs = dirs; | |
| 670 } | |
| 671 | |
| 672 @Override public void check(LuanState luan,String name) throws LuanException { | |
| 673 if( name.contains("..") ) | |
| 674 throw luan.exception("Security violation - '"+name+"' contains '..'"); | |
| 675 for( String dir : dirs ) { | |
| 676 if( name.startsWith(dir) ) | |
| 677 return; | |
| 678 } | |
| 679 throw luan.exception("Security violation - '"+name+"' not in allowed directory"); | |
| 680 } | |
| 681 } | |
| 682 | |
| 683 | |
| 684 private void IoLuan() {} // never | 667 private void IoLuan() {} // never |
| 685 } | 668 } |