- added first round of security sandboxing for lua scripts (disable the os library)

source/glest_game/game/script_manager.cpp

@@ -411,20 +411,36 @@ void ScriptManager::init(World* world, GameCamera *gameCamera, const XmlNode *ro
 
 	if(SystemFlags::getSystemSettingType(SystemFlags::debugLUA).enabled) SystemFlags::OutputDebug(SystemFlags::debugLUA,"In [%s::%s Line: %d]\n",__FILE__,__FUNCTION__,__LINE__);
 
-	// Setup global functions and vars here
+	try {
-	luaScript.beginCall("global");
+		// Setup global functions and vars here
-	luaScript.endCall();
+		luaScript.beginCall("global");
-
-	//call startup function
-	if(this->rootNode == NULL) {
-		luaScript.beginCall("startup");
 		luaScript.endCall();
-	}
-	else {
-		loadGame(this->rootNode);
-		this->rootNode = NULL;
-	}
 
+		//call startup function
+		if(this->rootNode == NULL) {
+			luaScript.beginCall("startup");
+			luaScript.endCall();
+		}
+		else {
+			loadGame(this->rootNode);
+			this->rootNode = NULL;
+		}
+	}
+	catch(const megaglest_runtime_error &ex) {
+		string sErrBuf = "";
+		//if(ex.wantStackTrace() == true) {
+			char szErrBuf[8096]="";
+			sprintf(szErrBuf,"In [%s::%s %d]",__FILE__,__FUNCTION__,__LINE__);
+			sErrBuf = string(szErrBuf) + string("\nerror [") + string(ex.what()) + string("]\n");
+		//}
+		SystemFlags::OutputDebug(SystemFlags::debugError,sErrBuf.c_str());
+		if(SystemFlags::getSystemSettingType(SystemFlags::debugSystem).enabled) SystemFlags::OutputDebug(SystemFlags::debugSystem,sErrBuf.c_str());
+
+		ScriptManager_STREFLOP_Wrapper streflopWrapper;
+
+		messageQueue.push_back(ScriptManagerMessage(sErrBuf.c_str(), "error"));
+		onMessageBoxOk(false);
+	}
 	if(SystemFlags::getSystemSettingType(SystemFlags::debugLUA).enabled) SystemFlags::OutputDebug(SystemFlags::debugLUA,"In [%s::%s Line: %d]\n",__FILE__,__FUNCTION__,__LINE__);
 }
 

source/glest_game/main/main.cpp

@@ -49,6 +49,7 @@
 #include <locale.h>
 #include "string_utils.h"
 #include "auto_test.h"
+#include "lua_script.h"
 
 // To handle signal catching
 #if defined(__GNUC__) && !defined(__MINGW32__) && !defined(__FreeBSD__) && !defined(BSD)
@@ -3206,6 +3207,10 @@ int glestMain(int argc, char** argv) {
 		Config &config = Config::getInstance();
 		setupGameItemPaths(argc, argv, &config);
 
+		if(config.getBool("DisableLuaSandbox","false") == true) {
+			LuaScript::setDisableSandbox(true);
+		}
+
 		Socket::setBroadCastPort(config.getInt("BroadcastPort",intToStr(Socket::getBroadCastPort()).c_str()));
 
 		Socket::disableNagle = config.getBool("DisableNagle","false");

source/shared_lib/include/lua/lua_script.h

@@ -42,12 +42,16 @@ private:
 	string sandboxWrapperFunctionName;
 	string sandboxCode;
 
+	static bool disableSandbox;
+
 	void DumpGlobals();
 
 public:
 	LuaScript();
 	~LuaScript();
 
+	static void setDisableSandbox(bool value) { disableSandbox = value; }
+
 	void loadCode(string code, string name);
 
 	void beginCall(string functionName);

source/shared_lib/sources/lua/lua_script.cpp

@@ -45,6 +45,8 @@ public:
 //	class LuaScript
 // =====================================================
 
+bool LuaScript::disableSandbox = false;
+
 LuaScript::LuaScript() {
 	Lua_STREFLOP_Wrapper streflopWrapper;
 
@@ -56,11 +58,24 @@ LuaScript::LuaScript() {
 
 	luaL_openlibs(luaState);
 
-	if(luaState==NULL){
+	if(luaState == NULL) {
 		throw megaglest_runtime_error("Can not allocate lua state");
 	}
 
 	argumentCount= -1;
+
+	if(disableSandbox == false) {
+		lua_getglobal(luaState, "os");
+		lua_pushnil(luaState);
+		lua_setfield(luaState, -2, "execute");
+		lua_pushnil(luaState);
+		lua_setfield(luaState, -2, "rename");
+		lua_pushnil(luaState);
+		lua_setfield(luaState, -2, "remove");
+		lua_pushnil(luaState);
+		lua_setfield(luaState, -2, "exit");
+		lua_pop(luaState, 1);
+	}
 }
 
 void LuaScript::DumpGlobals()