calling "os.exit()" in the console freezes the game, "os.execute" can also be used to do bad things
JasonS05 opened this issue · 3 comments
I would expect os.exit() to either
- Do nothing, except possibly resetting the Lua environment, or
- Quit the game, not freeze it
Maybe try replacing the os.exit function with some sanitized version that does one of the above?
Also, with os.execute, you can execute arbitrary terminal commands from within a Lua script. Maybe sanitize the whole os library before someone decides to make a malicious Lua script?
People might already have, but it's not a problem for the most part. The only approved way to get a Lua script is the script manager. Sadly, this could definitely be problem, but probably only just as much as other malicious means could.
os.exit() used to quit the game, but it seems like it gets hung up somewhere now. My only guess would be something SDL-related. Would be nice to fix, even if we have to overwrite it with a c++ function to exit properly.
os.execute is a builtin Lua function, and there are many more dangerous functions than just that. I don't intend to remove any "dangerous" functions from the game, as it's Lua API that someone may want to use. There's tons of functions that could be counted as dangerous, including io.popen (which can also execute arbitrary processes).
It's up to the user to only run safe scripts. The script server has a review process to filter out unsafe scripts, when downloading from other sources it's up to you to verify what you are running is safe. It would take a very restrictive Lua api to filter out all the numberous abusable functions.