From 53a285c0c3544ff5dea7c67b741c3c2d06d22b47 Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Thu, 3 May 2012 19:04:44 +0200 Subject: Disable loading bytecode with an extra header (BOM or #!). --- src/lj_errmsg.h | 1 + src/lj_lex.c | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/lj_errmsg.h b/src/lj_errmsg.h index 83c69ea8..d1db4386 100644 --- a/src/lj_errmsg.h +++ b/src/lj_errmsg.h @@ -139,6 +139,7 @@ ERRDEF(XFOR, LUA_QL("=") " or " LUA_QL("in") " expected") /* Bytecode reader errors. */ ERRDEF(BCFMT, "cannot load incompatible bytecode") ERRDEF(BCBAD, "cannot load malformed bytecode") +ERRDEF(BCHEAD, "attempt to load bytecode with extra header") #if LJ_HASFFI /* FFI errors. */ diff --git a/src/lj_lex.c b/src/lj_lex.c index d87a49dc..669d2dfe 100644 --- a/src/lj_lex.c +++ b/src/lj_lex.c @@ -411,6 +411,7 @@ static int llex(LexState *ls, TValue *tv) /* Setup lexer state. */ int lj_lex_setup(lua_State *L, LexState *ls) { + int header = 0; ls->L = L; ls->fs = NULL; ls->n = 0; @@ -430,6 +431,7 @@ int lj_lex_setup(lua_State *L, LexState *ls) ls->n -= 2; ls->p += 2; next(ls); + header = 1; } if (ls->current == '#') { /* Skip POSIX #! header line. */ do { @@ -437,8 +439,22 @@ int lj_lex_setup(lua_State *L, LexState *ls) if (ls->current == END_OF_STREAM) return 0; } while (!currIsNewline(ls)); inclinenumber(ls); + header = 1; } - return (ls->current == LUA_SIGNATURE[0]); /* Bytecode dump? */ + if (ls->current == LUA_SIGNATURE[0]) { /* Bytecode dump. */ + if (header) { + /* + ** Loading bytecode with an extra header is disabled for security + ** reasons. This may circumvent the usual check for bytecode vs. + ** Lua code by looking at the first char. Since this is a potential + ** security violation no attempt is made to echo the chunkname either. + */ + setstrV(L, L->top++, lj_err_str(L, LJ_ERR_BCHEAD)); + lj_err_throw(L, LUA_ERRSYNTAX); + } + return 1; + } + return 0; } /* Cleanup lexer state. */ -- cgit v1.2.1