From 382ff397a5af9581c582f8fede227a827ee8ddb6 Mon Sep 17 00:00:00 2001 From: Jean-Patrick Guerrero Date: Mon, 6 Dec 2021 14:44:40 +0100 Subject: [PATCH] HTTP API: Address security hole (thanks @rubenwardy) --- init.lua | 11 +++++------ src/api.lua | 9 ++------- src/caches.lua | 5 +++-- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/init.lua b/init.lua index 2537b33..90f916b 100644 --- a/init.lua +++ b/init.lua @@ -1,14 +1,13 @@ local modpath = core.get_modpath"i3" +local http = core.request_http_api() local _loadfile = dofile(modpath .. "/src/operators.lua") local function lf(path) - return _loadfile(modpath .. path) + return assert(_loadfile(modpath .. path)) end i3 = { modules = {}, - http = core.request_http_api(), - MAX_FAVS = 6, INV_SIZE = 4*9, HOTBAR_LEN = 9, @@ -80,7 +79,7 @@ i3 = { } i3.files.common() -i3.files.api() +i3.files.api(http) i3.files.compress() i3.files.groups() i3.files.callbacks() @@ -93,7 +92,7 @@ i3.data = dslz(storage:get_string"data") or {} local init_bags = i3.files.bags() local init_detached = i3.files.detached() -local fill_caches = i3.files.caches() +local fill_caches = i3.files.caches(http) local init_hud = i3.files.hud() local function get_lang_code(info) @@ -241,4 +240,4 @@ end --i3.files.tests.tabs() --i3.files.tests.operators() --i3.files.tests.compression() ---i3.files.tests.custom_recipes() +--i3.files.tests.custom_recipes(http) diff --git a/src/api.lua b/src/api.lua index f899fa7..03a0a46 100644 --- a/src/api.lua +++ b/src/api.lua @@ -1,4 +1,5 @@ local make_fs = i3.files.gui() +local http = ... IMPORT("gmatch", "split") IMPORT("S", "err", "fmt", "reg_items") @@ -22,13 +23,7 @@ function i3.register_craft(def) local width, c = 0, 0 if true_str(def.url) then - if not i3.http then - return err(fmt([[i3.register_craft(): Unable to reach %s. - No HTTP support for this mod: add it to the `secure.http_mods` or - `secure.trusted_mods` setting.]], def.url)) - end - - i3.http.fetch({url = def.url}, function(result) + http.fetch({url = def.url}, function(result) if result.succeeded then local t = core.parse_json(result.data) if is_table(t) then diff --git a/src/caches.lua b/src/caches.lua index eec94bd..f2cda2f 100644 --- a/src/caches.lua +++ b/src/caches.lua @@ -1,4 +1,5 @@ local replacements = {fuel = {}} +local http = ... IMPORT("maxn", "copy", "insert", "sort", "match", "sub") IMPORT("is_group", "extract_groups", "item_has_groups", "groups_to_items") @@ -269,13 +270,13 @@ local function init_recipes() resolve_aliases(_select) sort(i3.init_items) - if i3.http and true_str(i3.export_url) then + if http and true_str(i3.export_url) then local post_data = { recipes = i3.recipes_cache, usages = i3.usages_cache, } - i3.http.fetch_async { + http.fetch_async { url = i3.export_url, post_data = core.write_json(post_data), }