"date",
"difftime",
"getenv",
- "setlocale",
"time",
- "tmpname",
};
static const char *debug_whitelist[] = {
"gethook",
// And replace unsafe ones
SECURE_API(os, remove);
SECURE_API(os, rename);
+ SECURE_API(os, setlocale);
lua_setglobal(L, "os");
lua_pop(L, 1); // Pop old OS
lua_pop(L, 1); // Pop old jit
#endif
+ // Get rid of 'core' in the old globals, we don't want anyone thinking it's
+ // safe or even usable.
+ lua_pushnil(L);
+ lua_setfield(L, old_globals, "core");
+
lua_pop(L, 1); // Pop globals_backup
"rawset",
"select",
"setfenv",
- // getmetatable can be used to escape the sandbox
+ // getmetatable can be used to escape the sandbox <- ???
"setmetatable",
"tonumber",
"tostring",
"time"
};
static const char *debug_whitelist[] = {
- "getinfo",
+ "getinfo", // used by builtin and unset before mods load
"traceback"
};
lua_call(L, 1, 2);
return 2;
}
+
+
+int ScriptApiSecurity::sl_os_setlocale(lua_State *L)
+{
+ const bool cat = lua_gettop(L) > 1;
+ // Don't allow changes
+ if (!lua_isnoneornil(L, 1)) {
+ lua_pushnil(L);
+ return 1;
+ }
+
+ push_original(L, "os", "setlocale");
+ lua_pushnil(L);
+ if (cat)
+ lua_pushvalue(L, 2);
+ lua_call(L, cat ? 2 : 1, 1);
+ return 1;
+}