oss/luanti
oss/luanti
1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-10-05 19:31:04 +00:00
Code Wiki Activity
12958 commits 6 branches 73 tags 326 MiB
Commit graph

62 commits

Author SHA1 Message Date
Desour
a79e337d7a decide not to overwrite tostring 
tostring({}) and string.format("%s", {}) give you pointers.
(see lj_strfmt_obj)
this is not very critical, but attacks could be made harder if we change this.
the effort of overwriting is not worth it I think right now
 2025-09-22 19:08:44 +02:00
Desour
21155488eb (edit: don't) Fix unpack, and some other things 2025-09-22 19:08:44 +02:00
Desour
962742559f stuff 2025-09-22 19:08:44 +02:00
Desour
2a75ffa38a actually load the code, and make it not crash 2025-09-22 19:08:44 +02:00
Desour
e4a3b631cf mod_vfs stuff from TurkeyMcMac's PR 
Co-authored-by: Jude Melton-Houghton <jwmhjwmh@gmail.com>
 2025-09-22 19:08:44 +02:00
Desour
31513cac6e tmp3 2025-09-22 19:08:44 +02:00
sfan5
47c000a293 Add unittest that lints builtin JSON files 2025-03-04 19:53:01 +01:00
SmallJoker
5419345dff
PauseMenuScripting: resolve absolute 'builtin' path before substring check (#15720) 
In 99% of the cases, this behaviour is identical to before.
With this commit, it is again possible to have 'builtin' a symlink that e.g.
points to the engine source directory, which is helpful for development purposes.
 2025-02-02 19:04:50 +01:00
sfan5
a4d1b5b155
Fix script security path normalization in presence of links (#15481) 2024-12-03 16:51:34 +01:00
sfan5
ea4ae55e24 Implement script sandboxing for main menu 2024-11-13 14:22:41 +01:00
sfan5
1fd4e0b82d Refactor ScriptApiSecurity for cleaner separation of concerns 2024-11-13 14:22:41 +01:00
sfan5
294a30e445 Fix ScriptApiSecurity::checkPath mangling non-existent paths 
bug introduced in 1c1c97cbd1
 2024-11-03 19:27:08 +01:00
sfence
d849d51c2d
Replace licensing text in headers (LGPLv2.1) (#15321) 2024-10-28 15:57:39 +01:00
sfan5
37095f3e49 Change the preprocessor macro that differs server/client builds 2024-10-16 19:39:59 +02:00
DS
4aec4fbe6f
Add support for Tracy profiler (#15113) 2024-09-15 13:47:45 +02:00
rubenwardy
b487341c32
Deprecate writing to mod directories (#14486) 2024-03-27 18:32:05 +00:00
rubenwardy
6c4a110679
Add world-independent storage directory for mods (#12315) 
Fixes #4821
 2024-03-24 17:18:58 +00:00
sfan5
ce97210eb1 Refactor how script api reads current mod name 
This is to prevent future mistakes and make it clearer whether
the mod name can be trusted depending on how it is retrieved.
 2024-02-15 11:06:21 +01:00
sfan5
1ba26d67bd Remove excessive includes from porting.h 2024-01-14 13:17:53 +01:00
DS
2180dc14ef
Fix safeLoadFile() skipping 2 chars too much from the shebang (#13310) 2023-03-27 20:01:05 +02:00
Jude Melton-Houghton
d0a118f5b1
Add minetest.get_game_info and allow reading game.conf (#12989) 
Co-authored-by: sfan5 <sfan5@live.de>
 2022-11-28 07:21:43 -05:00
Jude Melton-Houghton
b38ffdec27
Implement vector and node conversion in Lua (#12609) 
Co-authored-by: sfan5 <sfan5@live.de>
 2022-10-18 18:01:44 -04:00
Jude Melton-Houghton
6f5a68b7f7
Allow getmetatable in CSM (#12776) 2022-09-18 17:32:18 +02:00
AFCMS
6ec6acc539
Add minetest.settings to CSM API and allow CSMs to provide settingtypes.txt (#12131) 
Co-authored-by: sfan5 <sfan5@live.de>
Co-authored-by: SmallJoker <SmallJoker@users.noreply.github.com>
 2022-08-02 11:58:08 +02:00
stefan
bb671c3089 Remove debug.get/setmetatable from security whitelist 
fixes #12216
 2022-05-29 14:00:19 +02:00
Jude Melton-Houghton
06d197cdd0
Store vector metatable in registry 2022-03-29 18:07:00 +02:00
sfan5
9a12e4499e Minor improvements to Lua sandbox 2022-01-15 17:45:08 +01:00
sfan5
b2409b14d0 Refactor trusted mod checking code 2021-12-18 20:37:13 +01:00
sfan5
f405459548 Remove setlocal and setupvalue from debug table whitelist 
It's likely that these could be used trick mods into revealing the insecure
environment even if they do everything right (which is already hard enough).
 2021-12-18 20:37:13 +01:00
Lejo
b9051386ae
Add Lua bitop library (#9847) 2021-11-26 19:31:05 +01:00
sfan5
6a1424f2b1
Async-related script cleanups 2021-08-28 12:15:12 +02:00
sfan5
623f0a8613 Isolate library tables between sandbox and insecure env 2021-04-18 16:06:42 +02:00
sfan5
74762470b2 Fix some minor code issues all over the place 2020-12-24 13:44:54 +01:00
luk3yx
61a196378f
Fix CSMs on arm64 (#10553) 2020-10-25 18:01:39 +01:00
sfan5
659245acc7
Work around LuaJIT issues on aarch64 (#9614) 
- Move the text segment below the 47-bit limit, needed for script_exception_wrapper which must be lightuserdata
- Replace CUSTOM_RIDX_SCRIPTAPI with full userdata
 2020-04-08 20:14:08 +02:00
sfan5
82a2e02323 Load client mods into memory before execution. 
Preperation for server-sent CSM which will eventually need this.
 2019-11-09 16:08:38 +01:00
sfan5
5ab546f99b Refactor loading of Lua code with mod security 2019-11-09 16:08:38 +01:00
SmallJoker
b0baa698a4 CSM: Fix itemstack:get_meta() 'metadata' indexing error 2019-09-14 19:42:30 +02:00
SmallJoker
23677be951 Load CSM environment after the restrictions are known 
Safety-guards for CSM callbacks to abort on a bad implementation
Only run callbacks when the mods are loaded (and with it: builtin)

Duplication checks inside constructors
 2019-09-14 19:42:25 +02:00
y
ecd20de64d Removed debug.upvaluejoin to prevent leak of insecure environment 2019-07-24 11:43:09 +02:00
Quentin Bazin
5f1cd555cd Move client-specific files to 'src/client' (#7902) 
Update Android.mk
Remove 'src/client' from include_directories
 2018-11-28 20:01:49 +01:00
Loïc Blot
eef62c82a2
Modernize lua read (part 2 & 3): C++ templating assurance (#7410) 
* Modernize lua read (part 2 & 3): C++ templating assurance

Implement the boolean reader
Implement the string reader
Also remove unused & unimplemented script_error_handler
Add a reader with default value
 2018-06-30 17:11:38 +02:00
red-001
1e94a7feaf Move setlocale from Lua to C++. 2018-02-08 15:38:34 +01:00
Loïc Blot
1c1c97cbd1 Modernize source code: last part (#6285) 
* Modernize source code: last par

* Use empty when needed
* Use emplace_back instead of push_back when needed
* For range-based loops
* Initializers fixes
* constructors, destructors default
* c++ C stl includes
 2017-08-20 13:30:50 +02:00
red-001
f3ad75691a Create a filesystem abstraction layer for CSM and only allow accessing files that are scanned into it. (#5965) 
* Load client-side mods into memory before executing them.

This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure.

* Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory.

* Fix the issues with backtrace

* fix most of the issues

* fix code style.

* add a comment
 2017-06-30 20:14:39 +02:00
Auke Kok
97988a1044 Plug two minor Leaks (#5603) 
* Resource leak: CHECK_FILE_ERR returns, without freeing chunk_name.

Found with static analysis.

* Resource leak: leaks `page` on error path.

Found with static analysis.
 2017-04-17 09:04:58 +02:00
red-001
2e3778ec0c Block access to the io library 2017-03-19 12:34:33 +01:00
red-001
a50d07d39a [CSM] Improve security for client-sided mods (#5100) 2017-03-13 23:56:05 +01:00
Loic Blot
2efae3ffd7 [CSM] Client side modding 
* rename GameScripting to ServerScripting
* Make getBuiltinLuaPath static serverside
* Add on_shutdown callback
* Add on_receiving_chat_message & on_sending_chat_message callbacks
* ScriptApiBase: use IGameDef instead of Server
  This permits to share common attribute between client & server
* Enable mod security in client side modding without conditions
 2017-03-13 23:56:05 +01:00
Loïc Blot
39123fcce5 Remove os.exit from the Lua secure sandbox (#5090) 
os.exit will exit not using proper resource liberation paths.

Mods should call the proper exit mod using our API
 2017-01-21 22:05:54 +01:00