From 703e6fdadb5251b6f42e35f0f71f3094f5e15f75 Mon Sep 17 00:00:00 2001 From: Jeija Date: Wed, 28 Dec 2016 10:07:59 +0100 Subject: Luacontroller: Restrict digiline messages Restrict maximum length of messages to 50.000 characters and disable sending functions or table references over the wire. Restrict types of channel variable to string, number or boolean. The missing length restriction made DoS-like attacks possible by overflowing memory using string concatenation. Thanks to gamemanj for disclosing this issue. --- mesecons_luacontroller/init.lua | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'mesecons_luacontroller') diff --git a/mesecons_luacontroller/init.lua b/mesecons_luacontroller/init.lua index 7d76b26..3c34887 100644 --- a/mesecons_luacontroller/init.lua +++ b/mesecons_luacontroller/init.lua @@ -273,9 +273,23 @@ end local function get_digiline_send(pos) if not digiline then return end return function(channel, msg) + -- Make sure channel is string, number or boolean + if (type(channel) ~= "string" and type(channel) ~= "number" and type(channel) ~= "boolean") then + return false + end + + -- No sending functions over the wire and make sure serialized version + -- of the data is not insanely long to prevent DoS-like attacks + msg = mesecon.tablecopy_stripfunctions(msg) + local msg_ser = minetest.serialize(msg) + if #msg_ser > mesecon.setting("luacontroller_digiline_maxlen", 50000) then + return false + end + minetest.after(0, function() digiline:receptor_send(pos, digiline.rules.default, channel, msg) end) + return true end end @@ -284,6 +298,7 @@ local safe_globals = { "assert", "error", "ipairs", "next", "pairs", "select", "tonumber", "tostring", "type", "unpack", "_VERSION" } + local function create_environment(pos, mem, event) -- Gather variables for the environment local vports = minetest.registered_nodes[minetest.get_node(pos).name].virtual_portstates -- cgit v1.2.3