mirror of
https://github.com/moparisthebest/minetest
synced 2024-11-15 13:55:11 -05:00
Require minetest.request_http_api to be called from the mod's main scope
Fixes #3764
This commit is contained in:
parent
7bcbc0105b
commit
1100a5d614
@ -2337,7 +2337,7 @@ These functions return the leftover itemstack.
|
|||||||
otherwise returns `nil`.
|
otherwise returns `nil`.
|
||||||
* The returned table contains the functions `fetch`, `fetch_async` and `fetch_async_get`
|
* The returned table contains the functions `fetch`, `fetch_async` and `fetch_async_get`
|
||||||
described below.
|
described below.
|
||||||
* Only works at init time.
|
* Only works at init time and must be called from the mod's main scope (not from a function).
|
||||||
* Function only exists if minetest server was built with cURL support.
|
* Function only exists if minetest server was built with cURL support.
|
||||||
* **DO NOT ALLOW ANY OTHER MODS TO ACCESS THE RETURNED TABLE, STORE IT IN
|
* **DO NOT ALLOW ANY OTHER MODS TO ACCESS THE RETURNED TABLE, STORE IT IN
|
||||||
A LOCAL VARIABLE!**
|
A LOCAL VARIABLE!**
|
||||||
|
@ -23,6 +23,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
|
|||||||
#include "lua_api/l_http.h"
|
#include "lua_api/l_http.h"
|
||||||
#include "httpfetch.h"
|
#include "httpfetch.h"
|
||||||
#include "settings.h"
|
#include "settings.h"
|
||||||
|
#include "debug.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
|
||||||
#include <algorithm>
|
#include <algorithm>
|
||||||
@ -130,11 +131,27 @@ int ModApiHttp::l_request_http_api(lua_State *L)
|
|||||||
{
|
{
|
||||||
NO_MAP_LOCK_REQUIRED;
|
NO_MAP_LOCK_REQUIRED;
|
||||||
|
|
||||||
|
// We have to make sure that this function is being called directly by
|
||||||
|
// a mod, otherwise a malicious mod could override this function and
|
||||||
|
// steal its return value.
|
||||||
|
lua_Debug info;
|
||||||
|
|
||||||
|
// Make sure there's only one item below this function on the stack...
|
||||||
|
if (lua_getstack(L, 2, &info)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
FATAL_ERROR_IF(!lua_getstack(L, 1, &info), "lua_getstack() failed");
|
||||||
|
FATAL_ERROR_IF(!lua_getinfo(L, "S", &info), "lua_getinfo() failed");
|
||||||
|
|
||||||
|
// ...and that that item is the main file scope.
|
||||||
|
if (strcmp(info.what, "main") != 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
// Mod must be listed in secure.http_mods or secure.trusted_mods
|
// Mod must be listed in secure.http_mods or secure.trusted_mods
|
||||||
lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
|
lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
|
||||||
if (!lua_isstring(L, -1)) {
|
if (!lua_isstring(L, -1)) {
|
||||||
lua_pushnil(L);
|
return 0;
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const char *mod_name = lua_tostring(L, -1);
|
const char *mod_name = lua_tostring(L, -1);
|
||||||
|
Loading…
Reference in New Issue
Block a user