changeset 1133:ba4daf107e07

fix security bug
author Franklin Schmidt <fschmidt@gmail.com>
date Wed, 17 Jan 2018 20:59:42 -0700
parents b70102bab110
children e54ae41e9501
files src/luan/LuanJava.java src/luan/LuanJavaOk.java src/luan/LuanState.java src/luan/LuanTable.java src/luan/impl/Closure.java src/luan/impl/LuanCompiler.java src/luan/impl/LuanImpl.java src/luan/impl/LuanParser.java src/luan/modules/IoLuan.java src/luan/modules/JavaLuan.java src/luan/modules/Rpc.luan src/luan/modules/lucene/Lucene.luan
diffstat 12 files changed, 49 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanJava.java
--- a/src/luan/LuanJava.java	Tue Jan 02 21:30:41 2018 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-package luan;
-
-
-public final class LuanJava implements LuanCloneable {
-	public boolean ok = false;
-
-	@Override public LuanJava shallowClone() {
-		LuanJava java = new LuanJava();
-		java.ok = ok;
-		return java;
-	}
-
-	@Override public void deepenClone(LuanCloneable clone,LuanCloner cloner) {}
-}
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanJavaOk.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/luan/LuanJavaOk.java	Wed Jan 17 20:59:42 2018 -0700
@@ -0,0 +1,14 @@
+package luan;
+
+
+public final class LuanJavaOk implements LuanCloneable {
+	public boolean ok = false;
+
+	@Override public LuanJavaOk shallowClone() {
+		LuanJavaOk javaOk = new LuanJavaOk();
+		javaOk.ok = ok;
+		return javaOk;
+	}
+
+	@Override public void deepenClone(LuanCloneable clone,LuanCloner cloner) {}
+}
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanState.java
--- a/src/luan/LuanState.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/LuanState.java	Wed Jan 17 20:59:42 2018 -0700
@@ -14,13 +14,13 @@
 
 
 public final class LuanState implements LuanCloneable {
-	public LuanJava java;
+	public LuanJavaOk javaOk;
 	private Map registry;
 	private final List<Reference<Closeable>> onClose = new ArrayList<Reference<Closeable>>();
 	public boolean isLocked = false;
 
 	public LuanState() {
-		java = new LuanJava();
+		javaOk = new LuanJavaOk();
 		registry = new HashMap();
 	}
 
@@ -33,7 +33,7 @@
 	@Override public void deepenClone(LuanCloneable dc,LuanCloner cloner) {
 		LuanState clone = (LuanState)dc;
 		clone.registry = cloner.clone(registry);
-		clone.java = (LuanJava)cloner.clone(java);
+		clone.javaOk = (LuanJavaOk)cloner.clone(javaOk);
 		if( cloner.type == LuanCloner.Type.INCREMENTAL )
 			isLocked = true;
 	}
@@ -84,7 +84,7 @@
 			LuanTable tbl = (LuanTable)obj;
 			return tbl.get(this,key);
 		}
-		if( obj != null && java.ok )
+		if( obj != null && javaOk.ok )
 			return JavaLuan.__index(this,obj,key);
 		throw new LuanException("attempt to index a " + Luan.type(obj) + " value" );
 	}
diff -r b70102bab110 -r ba4daf107e07 src/luan/LuanTable.java
--- a/src/luan/LuanTable.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/LuanTable.java	Wed Jan 17 20:59:42 2018 -0700
@@ -17,7 +17,7 @@
 	private Map map = null;
 	private List list = null;
 	private LuanTable metatable = null;
-	public LuanJava java;
+	public LuanJavaOk javaOk;
 	private LuanCloner cloner;
 
 	public LuanTable() {}
@@ -72,7 +72,7 @@
 			clone.map = map;
 			clone.list = list;
 			clone.metatable = metatable;
-			clone.java = java;
+			clone.javaOk = javaOk;
 			return;
 		}
 	}
@@ -101,7 +101,7 @@
 			clone.list = newList;
 		}
 		clone.metatable = (LuanTable)cloner.clone(metatable);
-		clone.java = (LuanJava)cloner.clone(java);
+		clone.javaOk = (LuanJavaOk)cloner.clone(javaOk);
 	}
 
 	public boolean isList() {
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/Closure.java
--- a/src/luan/impl/Closure.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/impl/Closure.java	Wed Jan 17 20:59:42 2018 -0700
@@ -6,17 +6,17 @@
 import luan.LuanException;
 import luan.LuanCloner;
 import luan.LuanCloneable;
-import luan.LuanJava;
+import luan.LuanJavaOk;
 
 
 public abstract class Closure extends LuanFunction implements LuanCloneable, Cloneable {
 	public Pointer[] upValues;
-	public LuanJava ljava;
+	public LuanJavaOk javaOk;
 	private LuanCloner cloner;
 
-	public Closure(int nUpValues,LuanJava java) throws LuanException {
+	public Closure(int nUpValues,LuanJavaOk javaOk) throws LuanException {
 		this.upValues = new Pointer[nUpValues];
-		this.ljava = java;
+		this.javaOk = javaOk;
 	}
 
 	@Override public Closure shallowClone() {
@@ -33,12 +33,12 @@
 		switch( cloner.type ) {
 		case COMPLETE:
 			clone.upValues = (Pointer[])cloner.clone(upValues);
-			clone.ljava = (LuanJava)cloner.clone(ljava);
+			clone.javaOk = (LuanJavaOk)cloner.clone(javaOk);
 			return;
 		case INCREMENTAL:
 			clone.cloner = cloner;
 			clone.upValues = upValues;
-			clone.ljava = ljava;
+			clone.javaOk = javaOk;
 			return;
 		}
 	}
@@ -46,7 +46,7 @@
 	private void check() {
 		if( cloner != null ) {
 			upValues = (Pointer[])cloner.clone(upValues);
-			ljava = (LuanJava)cloner.clone(ljava);
+			javaOk = (LuanJavaOk)cloner.clone(javaOk);
 			cloner = null;
 		}
 	}
@@ -55,14 +55,14 @@
 		if( luan.isLocked )
 			throw new RuntimeException("luan is locked");
 		check();
-		LuanJava old = luan.java;
-		luan.java = ljava;
+		LuanJavaOk old = luan.javaOk;
+		luan.javaOk = javaOk;
 		try {
 			return doCall(luan,args);
 		} catch(StackOverflowError e) {
 			throw new LuanException( "stack overflow" );
 		} finally {
-			luan.java = old;
+			luan.javaOk = old;
 		}	
 	}
 
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanCompiler.java
--- a/src/luan/impl/LuanCompiler.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/impl/LuanCompiler.java	Wed Jan 17 20:59:42 2018 -0700
@@ -8,7 +8,7 @@
 import luan.LuanState;
 import luan.LuanException;
 import luan.LuanTable;
-import luan.LuanJava;
+import luan.LuanJavaOk;
 import luan.modules.JavaLuan;
 import luan.modules.PackageLuan;
 
@@ -18,19 +18,19 @@
 
 	public static LuanFunction compile(String sourceText,String sourceName,LuanTable env) throws LuanException {
 		Class fnClass = env==null ? getClass(sourceText,sourceName) : getClass(sourceText,sourceName,env);
-		LuanJava java;
+		LuanJavaOk javaOk;
 		if( env == null ) {
-			java = new LuanJava();
+			javaOk = new LuanJavaOk();
 		} else {
-			java = env.java;
-			if( java == null ) {
-				java = new LuanJava();
-				env.java = java;
+			javaOk = env.javaOk;
+			if( javaOk == null ) {
+				javaOk = new LuanJavaOk();
+				env.javaOk = javaOk;
 			}
 		}
 		Closure closure;
 		try {
-			closure = (Closure)fnClass.getConstructor(LuanJava.class).newInstance(java);
+			closure = (Closure)fnClass.getConstructor(LuanJavaOk.class).newInstance(javaOk);
 		} catch(NoSuchMethodException e) {
 			throw new RuntimeException(e);
 		} catch(InstantiationException e) {
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanImpl.java
--- a/src/luan/impl/LuanImpl.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/impl/LuanImpl.java	Wed Jan 17 20:59:42 2018 -0700
@@ -162,7 +162,7 @@
 			tbl.put(luan,key,value);
 			return;
 		}
-		if( t != null && luan.java.ok )
+		if( t != null && luan.javaOk.ok )
 			JavaLuan.__new_index(luan,t,key,value);
 		else
 			throw new LuanException( "attempt to index a " + Luan.type(t) + " value" );
diff -r b70102bab110 -r ba4daf107e07 src/luan/impl/LuanParser.java
--- a/src/luan/impl/LuanParser.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/impl/LuanParser.java	Wed Jan 17 20:59:42 2018 -0700
@@ -2012,12 +2012,12 @@
 			+"import luan.Luan;  "
 			+"import luan.LuanFunction;  "
 			+"import luan.LuanState;  "
-			+"import luan.LuanJava;  "
+			+"import luan.LuanJavaOk;  "
 			+"import luan.LuanException;  "
 			+"import luan.modules.PackageLuan;  "
 
 			+"public class " + className +" extends Closure {  "
-				+"public "+className+"(LuanJava java) throws LuanException {  "
+				+"public "+className+"(LuanJavaOk java) throws LuanException {  "
 					+"super("+upValueSymbols.size()+",java);  "
 					+ init(upValueSymbols)
 				+"}  "
@@ -2038,7 +2038,7 @@
 			stmt.add( "return LuanFunction.NOTHING;  " );
 		Expr exp = new Expr(Val.SINGLE,false);
 		exp.add( ""
-			+"new Closure("+upValueSymbols.size()+",ljava) {  "
+			+"new Closure("+upValueSymbols.size()+",javaOk) {  "
 				+"{  "
 				+ init(upValueSymbols)
 				+"}  "
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/IoLuan.java
--- a/src/luan/modules/IoLuan.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/modules/IoLuan.java	Wed Jan 17 20:59:42 2018 -0700
@@ -953,6 +953,8 @@
 	private static String SECURITY_KEY = "Io.Security";
 
 	private static void check(LuanState luan,String name) throws LuanException {
+		if( luan.javaOk.ok )
+			return;
 		Security s = (Security)luan.registry().get(SECURITY_KEY);
 		if( s!=null )
 			s.check(luan,name);
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/JavaLuan.java
--- a/src/luan/modules/JavaLuan.java	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/modules/JavaLuan.java	Wed Jan 17 20:59:42 2018 -0700
@@ -29,7 +29,7 @@
 
 	public static void java(LuanState luan) throws LuanException {
 		check(luan,LuanException.currentSource());
-		luan.java.ok = true;
+		luan.javaOk.ok = true;
 	}
 
 	public static final LuanFunction javaFn;
@@ -42,7 +42,7 @@
 	}
 
 	private static void checkJava(LuanState luan) throws LuanException {
-		if( !luan.java.ok )
+		if( !luan.javaOk.ok )
 			throw new LuanException("Java isn't allowed");
 	}
 
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/Rpc.luan
--- a/src/luan/modules/Rpc.luan	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/modules/Rpc.luan	Wed Jan 17 20:59:42 2018 -0700
@@ -173,7 +173,7 @@
 end_function
 
 function Rpc.remote(domain)
-	local socket = "socket:" .. domain .. ":" .. Rpc.port
+	local socket = "socket:"..domain..":"..Rpc.port
 	return Rpc.remote_socket(socket)
 end_function
 
diff -r b70102bab110 -r ba4daf107e07 src/luan/modules/lucene/Lucene.luan
--- a/src/luan/modules/lucene/Lucene.luan	Tue Jan 02 21:30:41 2018 -0700
+++ b/src/luan/modules/lucene/Lucene.luan	Wed Jan 17 20:59:42 2018 -0700
@@ -146,7 +146,7 @@
 		error "multiple lucene instances"
 	end
 
-	if Rpc.functions.backup == nil then
+	if Rpc.functions.lucene_backup == nil then
 
 		function Rpc.functions.lucene_backup(password)
 			Io.password == password or error "wrong password"