Mercurial Hosting > luan
changeset 1133:ba4daf107e07
fix security bug
author | Franklin Schmidt <fschmidt@gmail.com> |
---|---|
date | Wed, 17 Jan 2018 20:59:42 -0700 |
parents | b70102bab110 |
children | e54ae41e9501 |
files | src/luan/LuanJava.java src/luan/LuanJavaOk.java src/luan/LuanState.java src/luan/LuanTable.java src/luan/impl/Closure.java src/luan/impl/LuanCompiler.java src/luan/impl/LuanImpl.java src/luan/impl/LuanParser.java src/luan/modules/IoLuan.java src/luan/modules/JavaLuan.java src/luan/modules/Rpc.luan src/luan/modules/lucene/Lucene.luan |
diffstat | 12 files changed, 49 insertions(+), 47 deletions(-) [+] |
line wrap: on
line diff
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanJava.java --- a/src/luan/LuanJava.java Tue Jan 02 21:30:41 2018 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,14 +0,0 @@ -package luan; - - -public final class LuanJava implements LuanCloneable { - public boolean ok = false; - - @Override public LuanJava shallowClone() { - LuanJava java = new LuanJava(); - java.ok = ok; - return java; - } - - @Override public void deepenClone(LuanCloneable clone,LuanCloner cloner) {} -}
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanJavaOk.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/luan/LuanJavaOk.java Wed Jan 17 20:59:42 2018 -0700 @@ -0,0 +1,14 @@ +package luan; + + +public final class LuanJavaOk implements LuanCloneable { + public boolean ok = false; + + @Override public LuanJavaOk shallowClone() { + LuanJavaOk javaOk = new LuanJavaOk(); + javaOk.ok = ok; + return javaOk; + } + + @Override public void deepenClone(LuanCloneable clone,LuanCloner cloner) {} +}
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanState.java --- a/src/luan/LuanState.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/LuanState.java Wed Jan 17 20:59:42 2018 -0700 @@ -14,13 +14,13 @@ public final class LuanState implements LuanCloneable { - public LuanJava java; + public LuanJavaOk javaOk; private Map registry; private final List<Reference<Closeable>> onClose = new ArrayList<Reference<Closeable>>(); public boolean isLocked = false; public LuanState() { - java = new LuanJava(); + javaOk = new LuanJavaOk(); registry = new HashMap(); } @@ -33,7 +33,7 @@ @Override public void deepenClone(LuanCloneable dc,LuanCloner cloner) { LuanState clone = (LuanState)dc; clone.registry = cloner.clone(registry); - clone.java = (LuanJava)cloner.clone(java); + clone.javaOk = (LuanJavaOk)cloner.clone(javaOk); if( cloner.type == LuanCloner.Type.INCREMENTAL ) isLocked = true; } @@ -84,7 +84,7 @@ LuanTable tbl = (LuanTable)obj; return tbl.get(this,key); } - if( obj != null && java.ok ) + if( obj != null && javaOk.ok ) return JavaLuan.__index(this,obj,key); throw new LuanException("attempt to index a " + Luan.type(obj) + " value" ); }
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanTable.java --- a/src/luan/LuanTable.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/LuanTable.java Wed Jan 17 20:59:42 2018 -0700 @@ -17,7 +17,7 @@ private Map map = null; private List list = null; private LuanTable metatable = null; - public LuanJava java; + public LuanJavaOk javaOk; private LuanCloner cloner; public LuanTable() {} @@ -72,7 +72,7 @@ clone.map = map; clone.list = list; clone.metatable = metatable; - clone.java = java; + clone.javaOk = javaOk; return; } } @@ -101,7 +101,7 @@ clone.list = newList; } clone.metatable = (LuanTable)cloner.clone(metatable); - clone.java = (LuanJava)cloner.clone(java); + clone.javaOk = (LuanJavaOk)cloner.clone(javaOk); } public boolean isList() {
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/Closure.java --- a/src/luan/impl/Closure.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/impl/Closure.java Wed Jan 17 20:59:42 2018 -0700 @@ -6,17 +6,17 @@ import luan.LuanException; import luan.LuanCloner; import luan.LuanCloneable; -import luan.LuanJava; +import luan.LuanJavaOk; public abstract class Closure extends LuanFunction implements LuanCloneable, Cloneable { public Pointer[] upValues; - public LuanJava ljava; + public LuanJavaOk javaOk; private LuanCloner cloner; - public Closure(int nUpValues,LuanJava java) throws LuanException { + public Closure(int nUpValues,LuanJavaOk javaOk) throws LuanException { this.upValues = new Pointer[nUpValues]; - this.ljava = java; + this.javaOk = javaOk; } @Override public Closure shallowClone() { @@ -33,12 +33,12 @@ switch( cloner.type ) { case COMPLETE: clone.upValues = (Pointer[])cloner.clone(upValues); - clone.ljava = (LuanJava)cloner.clone(ljava); + clone.javaOk = (LuanJavaOk)cloner.clone(javaOk); return; case INCREMENTAL: clone.cloner = cloner; clone.upValues = upValues; - clone.ljava = ljava; + clone.javaOk = javaOk; return; } } @@ -46,7 +46,7 @@ private void check() { if( cloner != null ) { upValues = (Pointer[])cloner.clone(upValues); - ljava = (LuanJava)cloner.clone(ljava); + javaOk = (LuanJavaOk)cloner.clone(javaOk); cloner = null; } } @@ -55,14 +55,14 @@ if( luan.isLocked ) throw new RuntimeException("luan is locked"); check(); - LuanJava old = luan.java; - luan.java = ljava; + LuanJavaOk old = luan.javaOk; + luan.javaOk = javaOk; try { return doCall(luan,args); } catch(StackOverflowError e) { throw new LuanException( "stack overflow" ); } finally { - luan.java = old; + luan.javaOk = old; } }
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanCompiler.java --- a/src/luan/impl/LuanCompiler.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/impl/LuanCompiler.java Wed Jan 17 20:59:42 2018 -0700 @@ -8,7 +8,7 @@ import luan.LuanState; import luan.LuanException; import luan.LuanTable; -import luan.LuanJava; +import luan.LuanJavaOk; import luan.modules.JavaLuan; import luan.modules.PackageLuan; @@ -18,19 +18,19 @@ public static LuanFunction compile(String sourceText,String sourceName,LuanTable env) throws LuanException { Class fnClass = env==null ? getClass(sourceText,sourceName) : getClass(sourceText,sourceName,env); - LuanJava java; + LuanJavaOk javaOk; if( env == null ) { - java = new LuanJava(); + javaOk = new LuanJavaOk(); } else { - java = env.java; - if( java == null ) { - java = new LuanJava(); - env.java = java; + javaOk = env.javaOk; + if( javaOk == null ) { + javaOk = new LuanJavaOk(); + env.javaOk = javaOk; } } Closure closure; try { - closure = (Closure)fnClass.getConstructor(LuanJava.class).newInstance(java); + closure = (Closure)fnClass.getConstructor(LuanJavaOk.class).newInstance(javaOk); } catch(NoSuchMethodException e) { throw new RuntimeException(e); } catch(InstantiationException e) {
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanImpl.java --- a/src/luan/impl/LuanImpl.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/impl/LuanImpl.java Wed Jan 17 20:59:42 2018 -0700 @@ -162,7 +162,7 @@ tbl.put(luan,key,value); return; } - if( t != null && luan.java.ok ) + if( t != null && luan.javaOk.ok ) JavaLuan.__new_index(luan,t,key,value); else throw new LuanException( "attempt to index a " + Luan.type(t) + " value" );
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanParser.java --- a/src/luan/impl/LuanParser.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/impl/LuanParser.java Wed Jan 17 20:59:42 2018 -0700 @@ -2012,12 +2012,12 @@ +"import luan.Luan; " +"import luan.LuanFunction; " +"import luan.LuanState; " - +"import luan.LuanJava; " + +"import luan.LuanJavaOk; " +"import luan.LuanException; " +"import luan.modules.PackageLuan; " +"public class " + className +" extends Closure { " - +"public "+className+"(LuanJava java) throws LuanException { " + +"public "+className+"(LuanJavaOk java) throws LuanException { " +"super("+upValueSymbols.size()+",java); " + init(upValueSymbols) +"} " @@ -2038,7 +2038,7 @@ stmt.add( "return LuanFunction.NOTHING; " ); Expr exp = new Expr(Val.SINGLE,false); exp.add( "" - +"new Closure("+upValueSymbols.size()+",ljava) { " + +"new Closure("+upValueSymbols.size()+",javaOk) { " +"{ " + init(upValueSymbols) +"} "
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/IoLuan.java --- a/src/luan/modules/IoLuan.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/modules/IoLuan.java Wed Jan 17 20:59:42 2018 -0700 @@ -953,6 +953,8 @@ private static String SECURITY_KEY = "Io.Security"; private static void check(LuanState luan,String name) throws LuanException { + if( luan.javaOk.ok ) + return; Security s = (Security)luan.registry().get(SECURITY_KEY); if( s!=null ) s.check(luan,name);
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/JavaLuan.java --- a/src/luan/modules/JavaLuan.java Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/modules/JavaLuan.java Wed Jan 17 20:59:42 2018 -0700 @@ -29,7 +29,7 @@ public static void java(LuanState luan) throws LuanException { check(luan,LuanException.currentSource()); - luan.java.ok = true; + luan.javaOk.ok = true; } public static final LuanFunction javaFn; @@ -42,7 +42,7 @@ } private static void checkJava(LuanState luan) throws LuanException { - if( !luan.java.ok ) + if( !luan.javaOk.ok ) throw new LuanException("Java isn't allowed"); }
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/Rpc.luan --- a/src/luan/modules/Rpc.luan Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/modules/Rpc.luan Wed Jan 17 20:59:42 2018 -0700 @@ -173,7 +173,7 @@ end_function function Rpc.remote(domain) - local socket = "socket:" .. domain .. ":" .. Rpc.port + local socket = "socket:"..domain..":"..Rpc.port return Rpc.remote_socket(socket) end_function
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/lucene/Lucene.luan --- a/src/luan/modules/lucene/Lucene.luan Tue Jan 02 21:30:41 2018 -0700 +++ b/src/luan/modules/lucene/Lucene.luan Wed Jan 17 20:59:42 2018 -0700 @@ -146,7 +146,7 @@ error "multiple lucene instances" end - if Rpc.functions.backup == nil then + if Rpc.functions.lucene_backup == nil then function Rpc.functions.lucene_backup(password) Io.password == password or error "wrong password"