A fix and a test case for Bug#908094 Lua os.* methods are a security hole

Nullify risky os.* methods, as well as 'require', to prevent load of potentially risky dynamic libraries (.so). Add a small test.

A fix and a test case for Bug#908094 Lua os.* methods are a security hole
f2128db4 · Konstantin Osipov · f40abebb · f2128db4 · f2128db4 · f2128db4
Commit f2128db4 authored 13 years ago by Konstantin Osipov
--- a/mod/box/box.lua
+++ b/mod/box/box.lua
@@ -128,3 +128,11 @@ if initfile ~= nil then
    io.close(initfile)
    dofile("init.lua")
 end
+-- security: nullify some of the most serious os.* holes
+--
+os.execute = nil
+os.exit = nil
+os.rename = nil
+os.tmpname = nil
+os.remove = nil
+require = nil
--- a/test/box/lua.result
+++ b/test/box/lua.result
--- a/test/box/lua.test
+++ b/test/box/lua.test
@@ -242,3 +242,8 @@ exec admin "lua pcall(box.insert, 99, 1, 'test')"
 exec admin "lua pcall(box.insert, 0, 1, 'hello')"
 exec admin "lua pcall(box.insert, 0, 1, 'hello')"
 exec admin "lua box.space[0]:truncate()"
+print """
+# A test case for Bug#908094
+# Lua provides access to os.execute()
+"""
+exec admin "lua os.execute('ls')"