Skip to content

Commit

Permalink
Don't allow loading scripts if they contain a path separator
Browse files Browse the repository at this point in the history
  • Loading branch information
@edo9300
edo9300 committed Jul 29, 2023
1 parent 1e7f855 commit f1288b6
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions libduel.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4272,8 +4272,15 @@ LUA_FUNCTION(LoadScript) {
check_param_count(L, 1);
const auto pduel = lua_get<duel*>(L);
const auto* string = lua_tolstring(L, 1, nullptr);
if(!string)
lua_error(L, "Parameter 1 should be \"String\".");
if(!string || *string == '\0')
lua_error(L, "Parameter 1 should be a non empty \"String\".");
{
auto start = string;
do {
if(*start == '/' || *start == '\\')
lua_error(L, "Passed script name containing a path separator");
} while(*start++);
}
if(/*auto check_cache = */lua_get<bool, true>(L, 2)) {
auto hash = [](const char* str)->uint32_t {
uint32_t hash = 5381, c;
Expand Down

0 comments on commit f1288b6

Please sign in to comment.