oss/luanti
oss/luanti
1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-06-27 16:36:03 +00:00
Code Wiki Activity

Deprecate function support in core.[de]serialize

Browse source
This commit is contained in:
Lars Müller 2025-04-23 21:39:27 +02:00 committed by GitHub
parent f2ea4a4565
commit dd2e45ee82
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 78 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/breakages.md
View file

@ -23,3 +23,5 @@ This list is largely advisory and items may be reevaluated once the time comes.
* stop reading initial properties from bare entity def
* change particle default blend mode to `clip`
* remove built-in knockback and related functions entirely
* remove `safe` parameter from `core.serialize`, always enforce `safe = true`.
possibly error when `loadstring` calls are encountered in `core.deserialize`.

13
doc/lua_api.md
View file

@ -7611,14 +7611,19 @@ Misc.
* `core.serialize(table)`: returns a string
* Convert a table containing tables, strings, numbers, booleans and `nil`s
into string form readable by `core.deserialize`
* Support for dumping function bytecode is **deprecated**.
* Example: `serialize({foo="bar"})`, returns `'return { ["foo"] = "bar" }'`
* `core.deserialize(string[, safe])`: returns a table
* Convert a string returned by `core.serialize` into a table
* `string` is loaded in an empty sandbox environment.
* Will load functions if safe is false or omitted. Although these functions
cannot directly access the global environment, they could bypass this
restriction with maliciously crafted Lua bytecode if mod security is
disabled.
* Will load functions if `safe` is `false` or omitted.
Although these functions cannot directly access the global environment,
they could bypass this restriction with maliciously crafted Lua bytecode
if mod security is disabled.
* Will silently strip functions embedded via calls to `loadstring`
(typically bytecode dumped by `core.serialize`) if `safe` is `true`.
You should not rely on this if possible.
* Example: `core.deserialize("return loadstring('')", true)` will be `nil`.
* This function should not be used on untrusted data, regardless of the
value of `safe`. It is fine to serialize then deserialize user-provided
data, but directly providing user input to deserialize is always unsafe.