HTTP API: Address security hole (thanks @rubenwardy)

This commit is contained in:
Jean-Patrick Guerrero 2021-12-06 14:44:40 +01:00
parent e4fdfa60bf
commit 382ff397a5
3 changed files with 10 additions and 15 deletions

View File

@ -1,14 +1,13 @@
local modpath = core.get_modpath"i3" local modpath = core.get_modpath"i3"
local http = core.request_http_api()
local _loadfile = dofile(modpath .. "/src/operators.lua") local _loadfile = dofile(modpath .. "/src/operators.lua")
local function lf(path) local function lf(path)
return _loadfile(modpath .. path) return assert(_loadfile(modpath .. path))
end end
i3 = { i3 = {
modules = {}, modules = {},
http = core.request_http_api(),
MAX_FAVS = 6, MAX_FAVS = 6,
INV_SIZE = 4*9, INV_SIZE = 4*9,
HOTBAR_LEN = 9, HOTBAR_LEN = 9,
@ -80,7 +79,7 @@ i3 = {
} }
i3.files.common() i3.files.common()
i3.files.api() i3.files.api(http)
i3.files.compress() i3.files.compress()
i3.files.groups() i3.files.groups()
i3.files.callbacks() i3.files.callbacks()
@ -93,7 +92,7 @@ i3.data = dslz(storage:get_string"data") or {}
local init_bags = i3.files.bags() local init_bags = i3.files.bags()
local init_detached = i3.files.detached() local init_detached = i3.files.detached()
local fill_caches = i3.files.caches() local fill_caches = i3.files.caches(http)
local init_hud = i3.files.hud() local init_hud = i3.files.hud()
local function get_lang_code(info) local function get_lang_code(info)
@ -241,4 +240,4 @@ end
--i3.files.tests.tabs() --i3.files.tests.tabs()
--i3.files.tests.operators() --i3.files.tests.operators()
--i3.files.tests.compression() --i3.files.tests.compression()
--i3.files.tests.custom_recipes() --i3.files.tests.custom_recipes(http)

View File

@ -1,4 +1,5 @@
local make_fs = i3.files.gui() local make_fs = i3.files.gui()
local http = ...
IMPORT("gmatch", "split") IMPORT("gmatch", "split")
IMPORT("S", "err", "fmt", "reg_items") IMPORT("S", "err", "fmt", "reg_items")
@ -22,13 +23,7 @@ function i3.register_craft(def)
local width, c = 0, 0 local width, c = 0, 0
if true_str(def.url) then if true_str(def.url) then
if not i3.http then http.fetch({url = def.url}, function(result)
return err(fmt([[i3.register_craft(): Unable to reach %s.
No HTTP support for this mod: add it to the `secure.http_mods` or
`secure.trusted_mods` setting.]], def.url))
end
i3.http.fetch({url = def.url}, function(result)
if result.succeeded then if result.succeeded then
local t = core.parse_json(result.data) local t = core.parse_json(result.data)
if is_table(t) then if is_table(t) then

View File

@ -1,4 +1,5 @@
local replacements = {fuel = {}} local replacements = {fuel = {}}
local http = ...
IMPORT("maxn", "copy", "insert", "sort", "match", "sub") IMPORT("maxn", "copy", "insert", "sort", "match", "sub")
IMPORT("is_group", "extract_groups", "item_has_groups", "groups_to_items") IMPORT("is_group", "extract_groups", "item_has_groups", "groups_to_items")
@ -269,13 +270,13 @@ local function init_recipes()
resolve_aliases(_select) resolve_aliases(_select)
sort(i3.init_items) sort(i3.init_items)
if i3.http and true_str(i3.export_url) then if http and true_str(i3.export_url) then
local post_data = { local post_data = {
recipes = i3.recipes_cache, recipes = i3.recipes_cache,
usages = i3.usages_cache, usages = i3.usages_cache,
} }
i3.http.fetch_async { http.fetch_async {
url = i3.export_url, url = i3.export_url,
post_data = core.write_json(post_data), post_data = core.write_json(post_data),
} }