Project

Profile

Help

HostedRedmine.com has moved to the Planio platform. All logins and passwords remained the same. All users will be able to login and use Redmine just as before. Read more...

Bug #693065

'/read' is allowed to execute '/lua unsafe-*' but can come from a mod pack

Added by Sveinung Kvilhaugsvik almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Server
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Jacob Nevins wrote in Feature #692001:

It looks like '/read' is allowed to execute '/lua unsafe-file' etc.

Since rulesets are generally distributed with a .serv script, we should probably restrict what '/read' can do, even if executed from console / with 'hack' access. (In another ticket)


Related issues

Blocks Freeciv - Task #673656: S3_1 datafile format freeze (d3f)Closed

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by Marko Lindqvist almost 5 years ago

  • Blocks Task #656466: S3_0 datafile format freeze (d3f) added

#2 Updated by Marko Lindqvist almost 5 years ago

Are 'lua unsafe-*' commands needed at S3_0 at all? The reasoning for their inclusion was running some tests that I think we run for master only.

If they are not needed in S3_0, I would prefer not to try to resolve their problems in that branch, but to revert them completely.

#3 Updated by Sveinung Kvilhaugsvik almost 5 years ago

Marko Lindqvist wrote:

Are 'lua unsafe-*' commands needed at S3_0 at all? The reasoning for their inclusion was running some tests that I think we run for master only.

They are useful when running the "did I break a ruleset?" test (./tests/rulesets_not_broken.sh) manually. This makes their usefulness depend on the number of future ruleset format changes to 3.0 where the developer plans to use rulesets_not_broken.sh to verify that a ruleset weren't accidentally broken.

This isn't an objection to removing them from S3_0.

#4 Updated by Marko Lindqvist almost 4 years ago

  • Category set to Server
  • Sprint/Milestone changed from 3.0.0 to 3.1.0

lua-unsafe-* patches reverted from S3_0. That's Feature #692021, Feature #692310, and Feature #692001

#5 Updated by Marko Lindqvist almost 4 years ago

  • Blocks Task #673656: S3_1 datafile format freeze (d3f) added

#6 Updated by Marko Lindqvist almost 4 years ago

  • Blocks deleted (Task #656466: S3_0 datafile format freeze (d3f))

#7 Updated by Marko Lindqvist over 3 years ago

Attached patch disallows execution of 'lua unsafe' and 'lua unsafe-file' when commands are read from a recursion level greater than 0 (i.e. at least one level of '/read')

#8 Updated by Marko Lindqvist over 3 years ago

  • Status changed from Resolved to Closed
  • Assignee set to Marko Lindqvist

Also available in: Atom PDF