1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-09-15 18:57:08 +00:00

Require request_insecure_environment to be called from the mod's main scope

Previously you could steal a secure environment from a trusted mod by wrapping
request_insecure_environment with some code like this:

local rie_cp = minetest.request_insecure_environment
local stolen_ie
function minetest.request_insecure_environment()
	local ie = rie_cp()
	stolen_ie = stolen_ie or ie
	return ie
end
This commit is contained in:
ShadowNinja 2016-02-18 16:06:07 -05:00 committed by paramat
parent 997be666e3
commit 4827ee1258
2 changed files with 28 additions and 6 deletions

View file

@ -2437,7 +2437,7 @@ These functions return the leftover itemstack.
* `minetest.request_insecure_environment()`: returns an environment containing
insecure functions if the calling mod has been listed as trusted in the
`secure.trusted_mods` setting or security is disabled, otherwise returns `nil`.
* Only works at init time.
* Only works at init time and must be called from the mod's main scope (not from a function).
* **DO NOT ALLOW ANY OTHER MODS TO ACCESS THE RETURNED ENVIRONMENT, STORE IT IN
A LOCAL VARIABLE!**