Mercurial Hosting > luan
changeset 277:8ac3eaf8ecd9
fix security
git-svn-id: https://luan-java.googlecode.com/svn/trunk@278 21e917c8-12df-6dd8-5cb6-c86387c605b9
author | fschmidt@gmail.com <fschmidt@gmail.com@21e917c8-12df-6dd8-5cb6-c86387c605b9> |
---|---|
date | Fri, 21 Nov 2014 05:39:46 +0000 (2014-11-21) |
parents | e5a0dd95f3e7 |
children | 4a0a84c38617 |
files | core/src/luan/modules/IoLuan.java core/src/luan/modules/JavaLuan.java core/src/luan/modules/PackageLuan.java |
diffstat | 3 files changed, 6 insertions(+), 42 deletions(-) [+] |
line wrap: on
line diff
--- a/core/src/luan/modules/IoLuan.java Thu Nov 20 04:20:34 2014 +0000 +++ b/core/src/luan/modules/IoLuan.java Fri Nov 21 05:39:46 2014 +0000 @@ -350,7 +350,7 @@ private LuanFile(LuanState luan,File file) throws LuanException { this(file); - check(luan,file.toString()); + check(luan,"file",file.toString()); } private LuanFile(File file) { @@ -439,6 +439,7 @@ boolean isLoading = Boolean.TRUE.equals(loading); if( isLoading ) path += ".luan"; + check(luan,"classpath",path); URL url; if( !path.contains("#") ) { url = ClassLoader.getSystemResource(path); @@ -466,6 +467,7 @@ if( !isLoading ) return null; String modName = name.replace('/','.') + "Luan.LOADER"; +// check(luan,"classpath",modName); try { //System.out.println("modName = "+modName); final LuanFunction fn = PackageLuan.load_lib(luan,modName); // throws exception if not found @@ -647,39 +649,20 @@ // security public interface Security { - public void check(LuanState luan,String name) throws LuanException; + public void check(LuanState luan,String scheme,String name) throws LuanException; } private static String SECURITY_KEY = "Io.Security"; - private static void check(LuanState luan,String name) throws LuanException { + private static void check(LuanState luan,String scheme,String name) throws LuanException { Security s = (Security)luan.registry().get(SECURITY_KEY); if( s!=null ) - s.check(luan,name); + s.check(luan,scheme,name); } public static void setSecurity(LuanState luan,Security s) { luan.registry().put(SECURITY_KEY,s); } - public static class DirSecurity implements Security { - private final String[] dirs; - - public DirSecurity(LuanState luan,String[] dirs) { - this.dirs = dirs; - } - - @Override public void check(LuanState luan,String name) throws LuanException { - if( name.contains("..") ) - throw luan.exception("Security violation - '"+name+"' contains '..'"); - for( String dir : dirs ) { - if( name.startsWith(dir) ) - return; - } - throw luan.exception("Security violation - '"+name+"' not in allowed directory"); - } - } - - private void IoLuan() {} // never }
--- a/core/src/luan/modules/JavaLuan.java Thu Nov 20 04:20:34 2014 +0000 +++ b/core/src/luan/modules/JavaLuan.java Fri Nov 21 05:39:46 2014 +0000 @@ -29,11 +29,8 @@ public static final LuanFunction LOADER = new LuanFunction() { @Override public Object call(LuanState luan,Object[] args) throws LuanException { - if( PackageLuan.is_blocked(luan,"Java") ) - throw luan.exception("Java is blocked"); LuanTable module = Luan.newTable(); try { - module.put( "block", new LuanJavaFunction(JavaLuan.class.getMethod("block",LuanState.class),null) ); module.put( "class", new LuanJavaFunction(JavaLuan.class.getMethod("getClass",LuanState.class,String.class),null) ); add( module, "proxy", LuanState.class, Static.class, LuanTable.class, Object.class ); } catch(NoSuchMethodException e) { @@ -69,10 +66,6 @@ } } - public static void block(LuanState luan) { - PackageLuan.block(luan,"Java"); - } - public static Object __index(LuanState luan,Object obj,Object key) throws LuanException { if( obj instanceof Static ) { if( key instanceof String ) {
--- a/core/src/luan/modules/PackageLuan.java Thu Nov 20 04:20:34 2014 +0000 +++ b/core/src/luan/modules/PackageLuan.java Fri Nov 21 05:39:46 2014 +0000 @@ -48,10 +48,6 @@ return luan.registryTable("Package.loaded"); } - private static LuanTable blocked(LuanState luan) { - return luan.registryTable("Package.blocked"); - } - private static Object pkg(LuanState luan,String key) { LuanTable t = (LuanTable)loaded(luan).get("Package"); return t==null ? null : t.get(key); @@ -103,14 +99,6 @@ } - public static void block(LuanState luan,String key) { - blocked(luan).put(key,true); - } - - public static boolean is_blocked(LuanState luan,String key) { - return blocked(luan).get(key) != null; - } - public static LuanFunction load_lib(LuanState luan,String path) throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException, LuanException {