Mercurial Hosting > luan
changeset 203:99eef1d0e706
IO security
git-svn-id: https://luan-java.googlecode.com/svn/trunk@204 21e917c8-12df-6dd8-5cb6-c86387c605b9
author | fschmidt@gmail.com <fschmidt@gmail.com@21e917c8-12df-6dd8-5cb6-c86387c605b9> |
---|---|
date | Sun, 06 Jul 2014 03:54:08 +0000 |
parents | 75750ceb45ee |
children | cee6581b6f56 |
files | core/src/luan/impl/LuanParser.java core/src/luan/modules/IoLuan.java core/src/luan/modules/Utils.java dist/luan-core-trunk.jar dist/luan-web-trunk.jar web/src/luan/modules/web/LuanHandler.java |
diffstat | 6 files changed, 76 insertions(+), 27 deletions(-) [+] |
line wrap: on
line diff
diff -r 75750ceb45ee -r 99eef1d0e706 core/src/luan/impl/LuanParser.java --- a/core/src/luan/impl/LuanParser.java Fri Jul 04 17:18:39 2014 +0000 +++ b/core/src/luan/impl/LuanParser.java Sun Jul 06 03:54:08 2014 +0000 @@ -834,9 +834,9 @@ List<TableExpr.Field> fields = new ArrayList<TableExpr.Field>(); List<Expressions> builder = new ArrayList<Expressions>(); while( Field(fields,builder,in) && FieldSep(inParens) ); - Spaces(inParens); if( !parser.match('}') ) throw parser.exception("Expected table element or '}'"); + Spaces(in); return parser.success( new TableExpr( se(start), fields.toArray(new TableExpr.Field[0]), ExpList.build(builder) ) ); }
diff -r 75750ceb45ee -r 99eef1d0e706 core/src/luan/modules/IoLuan.java --- a/core/src/luan/modules/IoLuan.java Fri Jul 04 17:18:39 2014 +0000 +++ b/core/src/luan/modules/IoLuan.java Sun Jul 06 03:54:08 2014 +0000 @@ -22,6 +22,8 @@ import java.net.Socket; import java.net.ServerSocket; import java.net.MalformedURLException; +import java.util.List; +import java.util.ArrayList; import luan.LuanState; import luan.LuanTable; import luan.LuanFunction; @@ -311,8 +313,8 @@ public static final class LuanUrl extends LuanIn { private final URL url; - private LuanUrl(String s) throws MalformedURLException { - this.url = new URL(s); + private LuanUrl(URL url) throws LuanException { + this.url = url; } @Override InputStream inputStream() throws IOException { @@ -327,8 +329,9 @@ public static final class LuanFile extends LuanIO { private final File file; - private LuanFile(String name) { - this(new File(name)); + private LuanFile(LuanState luan,File file) throws LuanException { + this(file); + check(luan,file.toString()); } private LuanFile(File file) { @@ -347,17 +350,17 @@ return file.toString(); } - public LuanTable child(String name) { - return new LuanFile(new File(file,name)).table(); + public LuanTable child(LuanState luan,String name) throws LuanException { + return new LuanFile(luan,new File(file,name)).table(); } - public LuanTable children() { + public LuanTable children(LuanState luan) throws LuanException { File[] files = file.listFiles(); if( files==null ) return null; LuanTable list = new LuanTable(); for( File f : files ) { - list.add(new LuanFile(f).table()); + list.add(new LuanFile(luan,f).table()); } return list; } @@ -394,10 +397,10 @@ File.class.getMethod( "lastModified" ), file ) ); tbl.put( "child", new LuanJavaFunction( - LuanFile.class.getMethod( "child", String.class ), this + LuanFile.class.getMethod( "child", LuanState.class, String.class ), this ) ); tbl.put( "children", new LuanJavaFunction( - LuanFile.class.getMethod( "children" ), this + LuanFile.class.getMethod( "children", LuanState.class ), this ) ); } catch(NoSuchMethodException e) { throw new RuntimeException(e); @@ -407,15 +410,13 @@ } public static LuanIn luanIo(LuanState luan,String name) throws LuanException { - if( Utils.isFile(name) ) - return new LuanFile(name); - String url = Utils.toUrl(name); + check(luan,name); + File file = Utils.toFile(name); + if( file != null ) + return new LuanFile(file); + URL url = Utils.toUrl(name); if( url != null ) { - try { - return new LuanUrl(url); - } catch(MalformedURLException e) { - throw new RuntimeException(e); - } + return new LuanUrl(url); } throw luan.exception( "file '"+name+"' not found" ); } @@ -498,5 +499,51 @@ }; } + + // security + + public interface Security { + public void check(LuanState luan,String name) throws LuanException; + } + + private static String SECURITY_KEY = "Io.Security"; + + private static void check(LuanState luan,String name) throws LuanException { + @SuppressWarnings("unchecked") + List<Security> list = (List<Security>)luan.registry().get(SECURITY_KEY); + if( list==null ) + return; + for( Security s : list ) { + s.check(luan,name); + } + } + + public static void addSecurity(LuanState luan,Security s) { + @SuppressWarnings("unchecked") + List<Security> list = (List<Security>)luan.registry().get(SECURITY_KEY); + if( list==null ) { + list = new ArrayList<Security>(); + luan.registry().put(SECURITY_KEY,list); + } + list.add(s); + } + + public static class DirSecurity implements Security { + private final String[] dirs; + + public DirSecurity(LuanState luan,String[] dirs) { + this.dirs = dirs; + } + + @Override public void check(LuanState luan,String name) throws LuanException { + for( String dir : dirs ) { + if( name.startsWith(dir) ) + return; + } + throw luan.exception("Security violation - '"+name+"' not in allowed directory"); + } + } + + private void IoLuan() {} // never }
diff -r 75750ceb45ee -r 99eef1d0e706 core/src/luan/modules/Utils.java --- a/core/src/luan/modules/Utils.java Fri Jul 04 17:18:39 2014 +0000 +++ b/core/src/luan/modules/Utils.java Sun Jul 06 03:54:08 2014 +0000 @@ -60,11 +60,14 @@ } } - public static boolean isFile(String path) { - return !path.contains("//") && exists(new File(path)); + public static File toFile(String path) { + if( path.contains("//") ) + return null; + File file = new File(path); + return exists(file) ? file : null; } - public static String toUrl(String path) { + public static URL toUrl(String path) { if( path.indexOf(':') == -1 ) return null; if( path.startsWith("java:") ) { @@ -72,16 +75,15 @@ if( path.contains("//") ) return null; URL url = ClassLoader.getSystemResource(path); - return url==null ? null : url.toString(); + return url==null ? null : url; } try { - new URL(path); - return path; + return new URL(path); } catch(MalformedURLException e) {} return null; } public static boolean exists(String path) { - return isFile(path) || toUrl(path)!=null; + return toFile(path)!=null || toUrl(path)!=null; } }
diff -r 75750ceb45ee -r 99eef1d0e706 dist/luan-core-trunk.jar Binary file dist/luan-core-trunk.jar has changed
diff -r 75750ceb45ee -r 99eef1d0e706 dist/luan-web-trunk.jar Binary file dist/luan-web-trunk.jar has changed
diff -r 75750ceb45ee -r 99eef1d0e706 web/src/luan/modules/web/LuanHandler.java --- a/web/src/luan/modules/web/LuanHandler.java Fri Jul 04 17:18:39 2014 +0000 +++ b/web/src/luan/modules/web/LuanHandler.java Sun Jul 06 03:54:08 2014 +0000 @@ -30,7 +30,7 @@ response.setStatus(HttpServletResponse.SC_OK); } catch(LuanException e) { //e.printStackTrace(); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,e.getMessage()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,e.getFullMessage()); } baseRequest.setHandled(true); }