bugFreeciv - Bugs: bug #15725, [Metaticket] Lua script security

 
 
Show feedback again

bug #15725: [Metaticket] Lua script security

Submitted by:  Engla <englabenny>
Submitted on:  Sun 28 Mar 2010 10:55:57 AM UTC  
 
Category: generalSeverity: 3 - Normal
Priority: 5 - NormalStatus: Fixed
Assigned to: Engla <englabenny>Open/Closed: Closed
Release: 2.1, 2.2Operating System: None
Planned Release: 

Add a New Comment (Rich MarkupRich Markup):
   

You are not logged in

Please log in, so followups can be emailed to you.

 

(Jump to the original submission Jump to the original submission)

Sat 30 Jun 2012 11:04:03 AM UTC, comment #7:

Closing as work got done and nothing new has happened for a while.

However, I invite those interested in the Lua security model to comment on bug #19729; we need some sort of answer for 2.4.0.

Jacob Nevins <jtn>
Project Administrator
Sat 12 May 2012 09:33:55 PM UTC, comment #6:

Any reason to keep this ticket open? There's been no movement on it for quite some time.

Jacob Nevins <jtn>
Project Administrator
Sun 18 Apr 2010 08:34:06 PM UTC, comment #5:

The way this is developing, no further changes are planned for the 2.1 branch. 2.1 branch has only had the directly unsafe/unwanted functions removed (read/write/execute programs etc).

Engla <englabenny>
Project MemberIn charge of this item.
Wed 14 Apr 2010 03:09:02 PM UTC, SVN revision 17342:

API: Hide Lua module 'debug'

We load the debug library, but do not make it available in the
Lua API. The debug module allows access to (among other things) the
registry, and upvalues (local variables of closures).

See gna bug #15725

(Browse SVN revision 17342)

Engla <englabenny>
Project MemberIn charge of this item.
Wed 14 Apr 2010 03:08:51 PM UTC, SVN revision 17341:

API: Hide Lua module 'debug'

We load the debug library, but do not make it available in the
Lua API. The debug module allows access to (among other things) the
registry, and upvalues (local variables of closures).

See gna bug #15725

(Browse SVN revision 17341)

Engla <englabenny>
Project MemberIn charge of this item.
Wed 14 Apr 2010 01:16:10 PM UTC, comment #2:

To clarify the last comment:

We hide '.get', but the tolua runtime will use it to look up object fields. This will be type safe, unlike direct access to the ".get" table.

We remove '.set', so the tolua runtime will not allow writing back object fields (see bug #15696).

Engla <englabenny>
Project MemberIn charge of this item.
Wed 14 Apr 2010 01:10:51 PM UTC, comment #1:

Here is a plan:

No unsafe functions (should be done)

No NULL pointers and no wild pointers (in progress):
1. We check arguments everywhere. Script functions should try to assure success or raise a script error.
2. Debug module hidden to disallow access to stuff that we hide (below)

No NULL pointers and no wild pointers (planned):
3. Limit access to the 'tolua' module (tolua.cast etc)
4. Remove access to all the API types' metatables (The table ".get" contains unprotected C function calls to look up object fields (.id, .name, .owner etc). Remove access to ".set" (all fields should be read-only, objects will be mutable by adding methods/setters instead)

Are these goals too ambitious? In particular, item 1 is much more ambitious than it sounds like. (Depending on the API function of course).

Engla <englabenny>
Project MemberIn charge of this item.
Sun 28 Mar 2010 10:55:57 AM UTC, original submission:

I think it is best to be conservative: Security is hard, and we have no reason to believe the script runtime is secure against exploits.

Engla <englabenny>
Project MemberIn charge of this item.

 

(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):
   
   
Comment:
   

No files currently attached

 

Digest:
   bug dependencies, patch dependencies.

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by jtn (Posted a comment)
  • -unavailable- added by englabenny (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    Follow 9 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Sat 30 Jun 2012 11:04:03 AM UTCjtnStatusIn Progress=>Fixed
      Open/ClosedOpen=>Closed
    Sun 18 Apr 2010 08:32:42 PM UTCenglabennyStatusNeed Info=>In Progress
      Assigned toNone=>englabenny
    Sun 18 Apr 2010 08:32:26 PM UTCenglabennyDependencies-=>Depends on bugs #15696
    Wed 14 Apr 2010 03:03:44 PM UTCenglabennyDependencies-=>Depends on patch #1621
    Sun 11 Apr 2010 10:11:30 PM UTCenglabennyDependencies-=>Depends on patch #1617
    Sat 10 Apr 2010 10:50:02 PM UTCenglabennyDependencies-=>Depends on patch #1611
    Sun 28 Mar 2010 10:56:25 AM UTCenglabennyDependencies-=>Depends on bugs #15624
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup