remove os.date and string.dump

2025-10-05 19:31:04 +00:00 · 2025-03-25 13:32:16 +01:00 · 2025-03-25 13:32:16 +01:00 · a2f98b1879
commit a2f98b1879
parent 51de8318b0
2 changed files with 25 additions and 11 deletions
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@ -408,19 +408,33 @@ void ScriptApiSecurity::initializeSecuritySSCSM()
 		"xpcall",
 		// Completely safe libraries
 		"coroutine",
-		"string", //TODO: string.dump?
 		"table",
 		"math",
 		"bit",
 	};
 	static const char *os_whitelist[] = {
-		"date", // TODO: can crash? (<http://lua-users.org/wiki/SandBoxes>)
 		"difftime",
 		"time"
 	};
 	static const char *debug_whitelist[] = {
 		"getinfo", // used by builtin and unset before mods load //TODO
-		"traceback" //TODO: is this fine, or does it print paths of C functions?
+		"traceback"
+	};
+	static const char *string_whitelist[] = { // all but string.dump
+		"byte",
+		"char",
+		"dump",
+		"find",
+		"format",
+		"gmatch",
+		"gsub",
+		"len",
+		"lower",
+		"match",
+		"rep",
+		"reverse",
+		"sub",
+		"upper"
 	};
 #if USE_LUAJIT
 	static const char *jit_whitelist[] = {
@ -479,6 +493,14 @@ void ScriptApiSecurity::initializeSecuritySSCSM()
 	lua_pop(L, 1);  // Pop old debug


+	// Copy safe string functions
+	lua_getglobal(L, "string");
+	lua_newtable(L);
+	copy_safe(L, string_whitelist, sizeof(string_whitelist));
+	lua_setfield(L, -3, "string");
+	lua_pop(L, 1);  // Pop old string
+
+
 #if USE_LUAJIT
 	// Copy safe jit functions, if they exist
 	lua_getglobal(L, "jit");