diff options
author | Jeija <norrepli@gmail.com> | 2016-12-28 10:07:59 +0100 |
---|---|---|
committer | Jeija <norrepli@gmail.com> | 2016-12-28 10:07:59 +0100 |
commit | 703e6fdadb5251b6f42e35f0f71f3094f5e15f75 (patch) | |
tree | 2f699fd54e574917be179a59749705b7355fce54 /mesecons | |
parent | 67cd17aa799dd4d168e95f2c3ea80076371da26e (diff) | |
download | mesecons-703e6fdadb5251b6f42e35f0f71f3094f5e15f75.tar mesecons-703e6fdadb5251b6f42e35f0f71f3094f5e15f75.tar.gz mesecons-703e6fdadb5251b6f42e35f0f71f3094f5e15f75.tar.bz2 mesecons-703e6fdadb5251b6f42e35f0f71f3094f5e15f75.tar.xz mesecons-703e6fdadb5251b6f42e35f0f71f3094f5e15f75.zip |
Luacontroller: Restrict digiline messages
Restrict maximum length of messages to 50.000 characters and disable sending functions or table references over the wire. Restrict types of channel variable to string, number or boolean.
The missing length restriction made DoS-like attacks possible by overflowing memory using string concatenation. Thanks to gamemanj for disclosing this issue.
Diffstat (limited to 'mesecons')
-rw-r--r-- | mesecons/util.lua | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/mesecons/util.lua b/mesecons/util.lua index 39f5696..0a06401 100644 --- a/mesecons/util.lua +++ b/mesecons/util.lua @@ -151,6 +151,22 @@ function mesecon.tablecopy(table) -- deep table copy return newtable end +function mesecon.tablecopy_stripfunctions(table) -- deep table copy, but remove all functions + if type(table) == "function" then return nil end -- functions become nil + if type(table) ~= "table" then return table end -- no need to copy + local newtable = {} + + for idx, item in pairs(table) do + if type(item) == "table" then + newtable[idx] = mesecon.tablecopy(item) + elseif type(item) ~= "function" then + newtable[idx] = item + end + end + + return newtable +end + function mesecon.cmpAny(t1, t2) if type(t1) ~= type(t2) then return false end if type(t1) ~= "table" and type(t2) ~= "table" then return t1 == t2 end |