-
-
Couldn't load subscription status.
- Fork 496
Enable safe Lua os.* functions #316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Please move to InitSecurity and set as a disabled function
CrosRoad95
commented
Aug 8, 2018
You should enable os.tmpname
Generate a name that can be used for a temporary file. This only generates a name, it does not open a file.
http://lua-users.org/wiki/OsLibraryTutorial
could be useful 🙄
@CrosRoad95 os.tmpname returns a string with the full directory. It might be a security concern.
os.clock returns seconds, while getTickCount() returns ms
@Pirulax it returns a float of 0.001 precision in seconds format, which is the same as milliseconds.
I dont know.
Tried to run os.clock() on repl.it, but it's wired a little bit there.
I dont have lua interpreter installed, so I cant test that.
But I remember that I've read something about os.clock() returning seconds only, and if I remembered it correctly, I've read that at math.randomseed() function on lua-users
@Pirulax it does return seconds, but in 0.001 precision. Read the example from Lua documentation: http://lua-users.org/wiki/OsLibraryTutorial
I'm just going to give my two cents here to @Dezash: wouldn't it be better to push the CLuaUtilDefs::DisabledFunction method to the Lua stack, instead of a nil value, to disable these unsafe OS library functions? That method logs an error and pushes false to the Lua stack, which states more clearly MTA's intent to disable those functions to the scripter. Just replacing them with a nil value, on the other hand, is a bit less clear at first hand.
I think (but I'm not sure, I'm not an active C++ developer who works with Lua) you can use lua_pushcfunction(m_luaVM, CLuaUtilDefs::DisabledFunction) to accomplish this, similarly to other disabled functions that follow.
@AlexTMjugador agreed. I did mention this in my review but I don't think he noticed 🙂
Good idea, I missed qaisjp's note somehow.
We might want to disable os.setlocale as well as it changes the locale globally for the entire application. This could result in unwanted side effects.
Loads Lua Os library and disables the following functions:
The following functions are enabled:
These functions are much faster than MTA's substitute functions.
Here's how os.clock compares with getTickCount:
Result:
INFO: getTickCount 3926
INFO: os.clock 418
Almost 10 times faster than getTickCount. Considering that functions such as getTickCount or getRealTime are often used onClientRender, this may allow scripters to slightly increase script performance.
This would also help accommodate people who have knowledge of Lua, but are new to MTA.