changeset 277:8ac3eaf8ecd9

fix security git-svn-id: https://luan-java.googlecode.com/svn/trunk@278 21e917c8-12df-6dd8-5cb6-c86387c605b9
author fschmidt@gmail.com <fschmidt@gmail.com@21e917c8-12df-6dd8-5cb6-c86387c605b9>
date Fri, 21 Nov 2014 05:39:46 +0000 (2014-11-21)
parents e5a0dd95f3e7
children 4a0a84c38617
files core/src/luan/modules/IoLuan.java core/src/luan/modules/JavaLuan.java core/src/luan/modules/PackageLuan.java
diffstat 3 files changed, 6 insertions(+), 42 deletions(-) [+]
line wrap: on
line diff
--- a/core/src/luan/modules/IoLuan.java	Thu Nov 20 04:20:34 2014 +0000
+++ b/core/src/luan/modules/IoLuan.java	Fri Nov 21 05:39:46 2014 +0000
@@ -350,7 +350,7 @@
 
 		private LuanFile(LuanState luan,File file) throws LuanException {
 			this(file);
-			check(luan,file.toString());
+			check(luan,"file",file.toString());
 		}
 
 		private LuanFile(File file) {
@@ -439,6 +439,7 @@
 		boolean isLoading = Boolean.TRUE.equals(loading);
 		if( isLoading )
 			path += ".luan";
+		check(luan,"classpath",path);
 		URL url;
 		if( !path.contains("#") ) {
 			url = ClassLoader.getSystemResource(path);
@@ -466,6 +467,7 @@
 		if( !isLoading )
 			return null;
 		String modName = name.replace('/','.') + "Luan.LOADER";
+//		check(luan,"classpath",modName);
 		try {
 //System.out.println("modName = "+modName);
 			final LuanFunction fn = PackageLuan.load_lib(luan,modName);  // throws exception if not found
@@ -647,39 +649,20 @@
 	// security
 
 	public interface Security {
-		public void check(LuanState luan,String name) throws LuanException;
+		public void check(LuanState luan,String scheme,String name) throws LuanException;
 	}
 
 	private static String SECURITY_KEY = "Io.Security";
 
-	private static void check(LuanState luan,String name) throws LuanException {
+	private static void check(LuanState luan,String scheme,String name) throws LuanException {
 		Security s = (Security)luan.registry().get(SECURITY_KEY);
 		if( s!=null )
-			s.check(luan,name);
+			s.check(luan,scheme,name);
 	}
 
 	public static void setSecurity(LuanState luan,Security s) {
 		luan.registry().put(SECURITY_KEY,s);
 	}
 
-	public static class DirSecurity implements Security {
-		private final String[] dirs;
-
-		public DirSecurity(LuanState luan,String[] dirs) {
-			this.dirs = dirs;
-		}
-
-		@Override public void check(LuanState luan,String name) throws LuanException {
-			if( name.contains("..") )
-				throw luan.exception("Security violation - '"+name+"' contains '..'");
-			for( String dir : dirs ) {
-				if( name.startsWith(dir) )
-					return;
-			}
-			throw luan.exception("Security violation - '"+name+"' not in allowed directory");
-		}
-	}
-
-
 	private void IoLuan() {}  // never
 }
--- a/core/src/luan/modules/JavaLuan.java	Thu Nov 20 04:20:34 2014 +0000
+++ b/core/src/luan/modules/JavaLuan.java	Fri Nov 21 05:39:46 2014 +0000
@@ -29,11 +29,8 @@
 
 	public static final LuanFunction LOADER = new LuanFunction() {
 		@Override public Object call(LuanState luan,Object[] args) throws LuanException {
-			if( PackageLuan.is_blocked(luan,"Java") )
-				throw luan.exception("Java is blocked");
 			LuanTable module = Luan.newTable();
 			try {
-				module.put( "block", new LuanJavaFunction(JavaLuan.class.getMethod("block",LuanState.class),null) );
 				module.put( "class", new LuanJavaFunction(JavaLuan.class.getMethod("getClass",LuanState.class,String.class),null) );
 				add( module, "proxy", LuanState.class, Static.class, LuanTable.class, Object.class );
 			} catch(NoSuchMethodException e) {
@@ -69,10 +66,6 @@
 		}
 	}
 
-	public static void block(LuanState luan) {
-		PackageLuan.block(luan,"Java");
-	}
-
 	public static Object __index(LuanState luan,Object obj,Object key) throws LuanException {
 		if( obj instanceof Static ) {
 			if( key instanceof String ) {
--- a/core/src/luan/modules/PackageLuan.java	Thu Nov 20 04:20:34 2014 +0000
+++ b/core/src/luan/modules/PackageLuan.java	Fri Nov 21 05:39:46 2014 +0000
@@ -48,10 +48,6 @@
 		return luan.registryTable("Package.loaded");
 	}
 
-	private static LuanTable blocked(LuanState luan) {
-		return luan.registryTable("Package.blocked");
-	}
-
 	private static Object pkg(LuanState luan,String key) {
 		LuanTable t = (LuanTable)loaded(luan).get("Package");
 		return t==null ? null : t.get(key);
@@ -103,14 +99,6 @@
 	}
 
 
-	public static void block(LuanState luan,String key) {
-		blocked(luan).put(key,true);
-	}
-
-	public static boolean is_blocked(LuanState luan,String key) {
-		return blocked(luan).get(key) != null;
-	}
-
 	public static LuanFunction load_lib(LuanState luan,String path)
 		throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException, LuanException
 	{