Hi!
I have trouble in getting .lua files to run if they are in a subdirectory of a mod.
When Mod Security is activated, Minetest does not allow me to load anything outside the mod directory. Not even subdirectories.
So, is there any way to load a script in a subdirectory without compromising mod security? I would hate to request an insecure environment or putting all Lua scripts in the top level.
FOSS gamedev and creative worlds
This is a mostly frozen copy of the Minetest forums through 2017. If you know phpBB3 and would like to host any G-rated forum here, you can email: me@minetest.org If the email doesn't work, find out who's taken over Final Minetest from OldCoder and email them to get write access or an admin account.
I should have set this up years ago. But it's no tale of woe.
Whether the temperature is high or low, regardless of cold winds blow,
away we go like Edgar Allan Poe, on now with the show. BTW rhymes are welcome.
How to securely load Lua scripts in subdirectories of mod?
5 posts
• Page 1 of 1
How to securely load Lua scripts in subdirectories of mod?
I'm creating MineClone 2, a Minecraft clone for Minetest.
I made the Help modpack, adding in-game help to Minetest.
I made the Help modpack, adding in-game help to Minetest.
Re: How to securely load Lua scripts in subdirectories of mo
Can you paste your code?
I have tried a simple example, and found no issues:
Edit: Just in case:
I have tried a simple example, and found no issues:
Your phone or window isn't wide enough to display the code box. If it's a phone, try rotating it to landscape mode.
- Code: Select all
-- sub/sub.lua
print("SUB!")
-- init.lua
local MP = minetest.get_modpath("sectest")
print("Main before dofile") --> OK
dofile(MP.."/sub/sub.lua") --> OK
print("Main after dofile") --> OK
-- ERROR[Main]: Attempt to access external file
-- /home/user/foobar.lua with mod security on.
dofile("/home/user/foobar.lua")
Edit: Just in case:
Your phone or window isn't wide enough to display the code box. If it's a phone, try rotating it to landscape mode.
- Code: Select all
# git describe
0.4.14-272-g595932a
Your signature is not the place for a blog post. Please keep it as concise as possible. Thank you!
Check out my stuff! | Donations greatly appreciated! PayPal | BTC: 1DFZAa5VtNG7Levux4oP6BuUzr1e83pJK2
Check out my stuff! | Donations greatly appreciated! PayPal | BTC: 1DFZAa5VtNG7Levux4oP6BuUzr1e83pJK2
Re: How to securely load Lua scripts in subdirectories of mo
Oops, maybe it's because of using loadfile instead of dofile. Does loadfile have more restrictions than dofile?
PS: I am talking about the QA-Block mod [qa_block]. This mod currently breaks with enabled mod security, and I wanted to figure out what to do about it. This mod uses loadfile to load scripts from a subdirectory.
PS: I am talking about the QA-Block mod [qa_block]. This mod currently breaks with enabled mod security, and I wanted to figure out what to do about it. This mod uses loadfile to load scripts from a subdirectory.
I'm creating MineClone 2, a Minecraft clone for Minetest.
I made the Help modpack, adding in-game help to Minetest.
I made the Help modpack, adding in-game help to Minetest.
Re: How to securely load Lua scripts in subdirectories of mo
The issue with qa_block was the files are readed at runtime and not in init-stage. Now I implement a compatibility mode with reading all files at init (and blow up the RAM). But what is the reason to restrict the usual runtime more then the init stage? I see no security win to be not allowed read something if I can read the same thing before in init stage?
Re: How to securely load Lua scripts in subdirectories of mo
Maybe my question was indiscernibly in the last post so I ask again: What is the reason to disallow reading of files in mod directory after the init stage? I do not see a security benefit on it.
I see to restrict "dofile" or "loadfile" does sense. The restriction prevents "hackers" to execute custom code during the server runs. But I see no reason to restrict just the reading trough io.open().
Maybe it make sense instead to disallow execution of loadstring() to get more security. Currently I can free type and execute typed code at runtime in qa_block in secured Minetest, but I cannot load the lua files as a text.
The pcall() should not be restricted. Is is just an other way to call already known (precompiled) functions.
I see to restrict "dofile" or "loadfile" does sense. The restriction prevents "hackers" to execute custom code during the server runs. But I see no reason to restrict just the reading trough io.open().
Maybe it make sense instead to disallow execution of loadstring() to get more security. Currently I can free type and execute typed code at runtime in qa_block in secured Minetest, but I cannot load the lua files as a text.
The pcall() should not be restricted. Is is just an other way to call already known (precompiled) functions.
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 71 guests