Mod security: Allow read-only access to all mod paths

src/script/lua_api/l_areastore.cpp

@@ -263,7 +263,7 @@ int LuaAreaStore::l_to_file(lua_State *L)
 	AreaStore *ast = o->as;
 
 	const char *filename = luaL_checkstring(L, 2);
-	CHECK_SECURE_PATH_OPTIONAL(L, filename);
+	CHECK_SECURE_PATH(L, filename, true);
 
 	std::ostringstream os(std::ios_base::binary);
 	ast->serialize(os);
@@ -294,7 +294,7 @@ int LuaAreaStore::l_from_file(lua_State *L)
 	LuaAreaStore *o = checkobject(L, 1);
 
 	const char *filename = luaL_checkstring(L, 2);
-	CHECK_SECURE_PATH_OPTIONAL(L, filename);
+	CHECK_SECURE_PATH(L, filename, false);
 
 	std::ifstream is(filename, std::ios::binary);
 	return deserialization_helper(L, o->as, is);

src/script/lua_api/l_mapgen.cpp

@@ -1295,7 +1295,7 @@ int ModApiMapgen::l_create_schematic(lua_State *L)
 	INodeDefManager *ndef = getServer(L)->getNodeDefManager();
 
 	const char *filename = luaL_checkstring(L, 4);
-	CHECK_SECURE_PATH_OPTIONAL(L, filename);
+	CHECK_SECURE_PATH(L, filename, true);
 
 	Map *map = &(getEnv(L)->getMap());
 	Schematic schem;

src/script/lua_api/l_settings.cpp

@@ -118,6 +118,11 @@ int LuaSettings::l_write(lua_State* L)
 	NO_MAP_LOCK_REQUIRED;
 	LuaSettings* o = checkobject(L, 1);
 
+	if (!o->m_write_allowed) {
+		throw LuaError("Settings: writing " + o->m_filename +
+				" not allowed with mod security on.");
+	}
+
 	bool success = o->m_settings->updateConfigFile(o->m_filename.c_str());
 	lua_pushboolean(L, success);
 
@@ -142,8 +147,9 @@ int LuaSettings::l_to_table(lua_State* L)
 	return 1;
 }
 
-LuaSettings::LuaSettings(const char* filename)
+LuaSettings::LuaSettings(const char* filename, bool write_allowed)
 {
+	m_write_allowed = write_allowed;
 	m_filename = std::string(filename);
 
 	m_settings = new Settings();
@@ -188,9 +194,10 @@ void LuaSettings::Register(lua_State* L)
 int LuaSettings::create_object(lua_State* L)
 {
 	NO_MAP_LOCK_REQUIRED;
+	bool write_allowed;
 	const char* filename = luaL_checkstring(L, 1);
-	CHECK_SECURE_PATH_OPTIONAL(L, filename);
-	LuaSettings* o = new LuaSettings(filename);
+	CHECK_SECURE_PATH_POSSIBLE_WRITE(L, filename, &write_allowed);
+	LuaSettings* o = new LuaSettings(filename, write_allowed);
 	*(void **)(lua_newuserdata(L, sizeof(void *))) = o;
 	luaL_getmetatable(L, className);
 	lua_setmetatable(L, -2);

src/script/lua_api/l_settings.h

@@ -53,11 +53,12 @@ private:
 	// to_table(self) -> {[key1]=value1,...}
 	static int l_to_table(lua_State* L);
 
+	bool m_write_allowed;
 	Settings* m_settings;
 	std::string m_filename;
 
 public:
-	LuaSettings(const char* filename);
+	LuaSettings(const char* filename, bool write_allowed);
 	~LuaSettings();
 
 	// LuaSettings(filename)

src/script/lua_api/l_util.cpp

@@ -388,7 +388,7 @@ int ModApiUtil::l_mkdir(lua_State *L)
 {
 	NO_MAP_LOCK_REQUIRED;
 	const char *path = luaL_checkstring(L, 1);
-	CHECK_SECURE_PATH_OPTIONAL(L, path);
+	CHECK_SECURE_PATH(L, path, true);
 	lua_pushboolean(L, fs::CreateAllDirs(path));
 	return 1;
 }
@@ -400,7 +400,7 @@ int ModApiUtil::l_get_dir_list(lua_State *L)
 	const char *path = luaL_checkstring(L, 1);
 	short is_dir = lua_isboolean(L, 2) ? lua_toboolean(L, 2) : -1;
 
-	CHECK_SECURE_PATH_OPTIONAL(L, path);
+	CHECK_SECURE_PATH(L, path, false);
 
 	std::vector<fs::DirListNode> list = fs::GetDirListing(path);