From 3bf903c3984c0b8858e60668787452cd08eae6f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Thu, 5 Aug 2021 16:06:48 +0200
Subject: [PATCH] [lua] provide and use li_lua_new_protected_metatable to
 prevent tampering with metatables

Change-Id: Ifda5a1465c8fc291f0f09490a9f6e2c3f6b27504
---
 include/lighttpd/config_lua.h |  3 +--
 include/lighttpd/core_lua.h   | 10 ++++++++++
 src/main/actions_lua.c        |  5 +----
 src/main/base_lua.c           |  1 -
 src/main/chunk_lua.c          |  7 ++-----
 src/main/condition_lua.c      | 10 ++++------
 src/main/config_lua.c         |  3 ---
 src/main/core_lua.c           |  3 ---
 src/main/environment_lua.c    |  5 +----
 src/main/filters_lua.c        |  5 +----
 src/main/http_headers_lua.c   |  5 +----
 src/main/physical_lua.c       |  5 +----
 src/main/request_lua.c        |  7 ++-----
 src/main/response_lua.c       |  5 +----
 src/main/stat_lua.c           |  6 +-----
 src/main/subrequest_lua.c     |  5 +----
 src/main/value_lua.c          |  4 +---
 src/main/virtualrequest_lua.c |  7 ++-----
 src/modules/mod_lua.c         |  3 ---
 src/modules/mod_memcached.c   |  6 ++----
 20 files changed, 32 insertions(+), 73 deletions(-)

diff --git a/include/lighttpd/config_lua.h b/include/lighttpd/config_lua.h
index e888dec..1eb6411 100644
--- a/include/lighttpd/config_lua.h
+++ b/include/lighttpd/config_lua.h
@@ -2,8 +2,7 @@
 #define _LIGHTTPD_CONFIG_LUA_H_
 
 #include <lighttpd/base.h>
-
-#include <lualib.h>
+#include <lua.h>
 
 LI_API gboolean li_config_lua_load(liLuaState *LL, liServer *srv, liWorker *wrk, const gchar *filename, liAction **pact, gboolean allow_setup, liValue *args);
 
diff --git a/include/lighttpd/core_lua.h b/include/lighttpd/core_lua.h
index 2e771ef..6484ef1 100644
--- a/include/lighttpd/core_lua.h
+++ b/include/lighttpd/core_lua.h
@@ -3,6 +3,7 @@
 
 #include <lighttpd/base.h>
 #include <lua.h>
+#include <lauxlib.h>
 
 #define LI_LUA_REGISTRY_STATE   "lighttpd.state"
 #define LI_LUA_REGISTRY_SERVER  "lighttpd.server"
@@ -16,6 +17,7 @@ INLINE void li_lua_unlock(liLuaState *LL);
 
 /* expect (meta)table at top of the stack */
 INLINE void li_lua_protect_metatable(lua_State *L);
+INLINE int li_lua_new_protected_metatable(lua_State *L, const char *tname);
 
 /* chunk_lua.c */
 LI_API void li_lua_init_chunk_mt(lua_State *L);
@@ -146,4 +148,12 @@ INLINE void li_lua_protect_metatable(lua_State *L) {
 	lua_setfield(L, -2, "__metatable");
 }
 
+INLINE int li_lua_new_protected_metatable(lua_State *L, const char *tname) {
+	int r = luaL_newmetatable(L, tname);
+	if (r) {
+		li_lua_protect_metatable(L);
+	}
+	return r;
+}
+
 #endif
diff --git a/src/main/actions_lua.c b/src/main/actions_lua.c
index 8d4b124..287c910 100644
--- a/src/main/actions_lua.c
+++ b/src/main/actions_lua.c
@@ -3,9 +3,6 @@
 #include <lighttpd/config_lua.h>
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_ACTION "liAction*"
 
 static int lua_action_gc(lua_State *L) {
@@ -30,7 +27,7 @@ static HEDLEY_NEVER_INLINE void init_action_mt(liServer *srv, lua_State *L) {
 }
 
 static void lua_push_action_metatable(liServer *srv, lua_State *L) {
-	if (luaL_newmetatable(L, LUA_ACTION)) {
+	if (li_lua_new_protected_metatable(L, LUA_ACTION)) {
 		init_action_mt(srv, L);
 	}
 }
diff --git a/src/main/base_lua.c b/src/main/base_lua.c
index c8281ef..174b412 100644
--- a/src/main/base_lua.c
+++ b/src/main/base_lua.c
@@ -4,7 +4,6 @@
 #ifdef HAVE_LUA_H
 # include <lighttpd/core_lua.h>
 # include <lualib.h>
-# include <lauxlib.h>
 #endif
 
 #ifdef HAVE_LUA_H
diff --git a/src/main/chunk_lua.c b/src/main/chunk_lua.c
index 4656690..5b825ff 100644
--- a/src/main/chunk_lua.c
+++ b/src/main/chunk_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #include <sys/stat.h>
 
 #define LUA_CHUNK "liChunk*"
@@ -15,7 +12,7 @@ static HEDLEY_NEVER_INLINE void init_chunk_mt(lua_State *L) {
 }
 
 static void lua_push_chunk_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_CHUNK)) {
+	if (li_lua_new_protected_metatable(L, LUA_CHUNK)) {
 		init_chunk_mt(L);
 	}
 }
@@ -271,7 +268,7 @@ static HEDLEY_NEVER_INLINE void init_chunkqueue_mt(lua_State *L) {
 }
 
 static void lua_push_chunkqueue_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_CHUNKQUEUE)) {
+	if (li_lua_new_protected_metatable(L, LUA_CHUNKQUEUE)) {
 		init_chunkqueue_mt(L);
 	}
 }
diff --git a/src/main/condition_lua.c b/src/main/condition_lua.c
index 404c039..d683cb7 100644
--- a/src/main/condition_lua.c
+++ b/src/main/condition_lua.c
@@ -1,10 +1,8 @@
 
+#include <lighttpd/core_lua.h>
 #include <lighttpd/condition_lua.h>
 #include <lighttpd/value_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_CONDITION "liCondition*"
 #define LUA_COND_LVALUE "liConditionLValue*"
 #define LUA_COND_LVALUE_T "liCondLValue"
@@ -118,7 +116,7 @@ static HEDLEY_NEVER_INLINE void init_condition_mt(liServer *srv, lua_State *L) {
 }
 
 static void lua_push_condition_metatable(liServer *srv, lua_State *L) {
-	if (luaL_newmetatable(L, LUA_CONDITION)) {
+	if (li_lua_new_protected_metatable(L, LUA_CONDITION)) {
 		init_condition_mt(srv, L);
 	}
 }
@@ -223,7 +221,7 @@ static HEDLEY_NEVER_INLINE void init_cond_lvalue_mt(liServer *srv, lua_State *L)
 }
 
 static void lua_push_cond_lvalue_metatable(liServer *srv, lua_State *L) {
-	if (luaL_newmetatable(L, LUA_COND_LVALUE)) {
+	if (li_lua_new_protected_metatable(L, LUA_COND_LVALUE)) {
 		init_cond_lvalue_mt(srv, L);
 	}
 }
@@ -264,7 +262,7 @@ static HEDLEY_NEVER_INLINE void init_cond_lvalue_t_mt(liServer *srv, lua_State *
 }
 
 static void lua_push_cond_lvalue_t_metatable(liServer *srv, lua_State *L) {
-	if (luaL_newmetatable(L, LUA_COND_LVALUE_T)) {
+	if (li_lua_new_protected_metatable(L, LUA_COND_LVALUE_T)) {
 		init_cond_lvalue_t_mt(srv, L);
 	}
 }
diff --git a/src/main/config_lua.c b/src/main/config_lua.c
index 4900e73..b981734 100644
--- a/src/main/config_lua.c
+++ b/src/main/config_lua.c
@@ -6,9 +6,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 typedef int (*LuaWrapper)(liServer *srv, liWorker *wrk, lua_State *L, const char *key);
 
 static liValue* lua_params_to_value(liServer *srv, lua_State *L) {
diff --git a/src/main/core_lua.c b/src/main/core_lua.c
index 79e8b62..7ddc13a 100644
--- a/src/main/core_lua.c
+++ b/src/main/core_lua.c
@@ -4,9 +4,6 @@
 #include <lighttpd/condition_lua.h>
 #include <lighttpd/value_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 liLuaState *li_lua_state_get(lua_State *L) {
 	liLuaState *LL;
 
diff --git a/src/main/environment_lua.c b/src/main/environment_lua.c
index 747c6c1..550a373 100644
--- a/src/main/environment_lua.c
+++ b/src/main/environment_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_ENVIRONMENT "liEnvironment*"
 
 static int lua_environment_get(lua_State *L) {
@@ -118,7 +115,7 @@ static HEDLEY_NEVER_INLINE void init_env_mt(lua_State *L) {
 }
 
 static void lua_push_environment_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_ENVIRONMENT)) {
+	if (li_lua_new_protected_metatable(L, LUA_ENVIRONMENT)) {
 		init_env_mt(L);
 	}
 }
diff --git a/src/main/filters_lua.c b/src/main/filters_lua.c
index 45cd8ec..2a459b1 100644
--- a/src/main/filters_lua.c
+++ b/src/main/filters_lua.c
@@ -3,9 +3,6 @@
 #include <lighttpd/core_lua.h>
 #include <lighttpd/actions_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_FILTER "liFilter*"
 
 typedef int (*lua_Filter_Attrib)(liFilter *f, lua_State *L);
@@ -116,7 +113,7 @@ static HEDLEY_NEVER_INLINE void init_filter_mt(lua_State *L) {
 }
 
 static void lua_push_filter_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_FILTER)) {
+	if (li_lua_new_protected_metatable(L, LUA_FILTER)) {
 		init_filter_mt(L);
 	}
 }
diff --git a/src/main/http_headers_lua.c b/src/main/http_headers_lua.c
index 925e769..3fd3707 100644
--- a/src/main/http_headers_lua.c
+++ b/src/main/http_headers_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_HTTPHEADERS "liHttpHeaders*"
 
 static int lua_http_headers_get(lua_State *L) {
@@ -206,7 +203,7 @@ static HEDLEY_NEVER_INLINE void init_http_headers_mt(lua_State *L) {
 }
 
 static void lua_push_http_headers_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_HTTPHEADERS)) {
+	if (li_lua_new_protected_metatable(L, LUA_HTTPHEADERS)) {
 		init_http_headers_mt(L);
 	}
 }
diff --git a/src/main/physical_lua.c b/src/main/physical_lua.c
index cf79fbd..1651313 100644
--- a/src/main/physical_lua.c
+++ b/src/main/physical_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_PHYSICAL "liPhysical*"
 
 typedef int (*lua_Physical_Attrib)(liPhysical *phys, lua_State *L);
@@ -132,7 +129,7 @@ static HEDLEY_NEVER_INLINE void init_physical_mt(lua_State *L) {
 }
 
 static void lua_push_physical_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_PHYSICAL)) {
+	if (li_lua_new_protected_metatable(L, LUA_PHYSICAL)) {
 		init_physical_mt(L);
 	}
 }
diff --git a/src/main/request_lua.c b/src/main/request_lua.c
index fd775f3..2208ab4 100644
--- a/src/main/request_lua.c
+++ b/src/main/request_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_REQUEST "liRequest*"
 #define LUA_REQUESTURI "liRequestUri*"
 
@@ -148,7 +145,7 @@ static HEDLEY_NEVER_INLINE void init_request_mt(lua_State *L) {
 }
 
 static void lua_push_request_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_REQUEST)) {
+	if (li_lua_new_protected_metatable(L, LUA_REQUEST)) {
 		init_request_mt(L);
 	}
 }
@@ -289,7 +286,7 @@ static HEDLEY_NEVER_INLINE void init_requesturi_mt(lua_State *L) {
 }
 
 static void lua_push_requesturi_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_REQUESTURI)) {
+	if (li_lua_new_protected_metatable(L, LUA_REQUESTURI)) {
 		init_requesturi_mt(L);
 	}
 }
diff --git a/src/main/response_lua.c b/src/main/response_lua.c
index 868a341..b5a7a57 100644
--- a/src/main/response_lua.c
+++ b/src/main/response_lua.c
@@ -1,9 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_RESPONSE "liResponse*"
 
 typedef int (*lua_Response_Attrib)(liResponse *resp, lua_State *L);
@@ -127,7 +124,7 @@ static HEDLEY_NEVER_INLINE void init_response_mt(lua_State *L) {
 }
 
 static void lua_push_response_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_RESPONSE)) {
+	if (li_lua_new_protected_metatable(L, LUA_RESPONSE)) {
 		init_response_mt(L);
 	}
 }
diff --git a/src/main/stat_lua.c b/src/main/stat_lua.c
index 6c728c9..dcb1f55 100644
--- a/src/main/stat_lua.c
+++ b/src/main/stat_lua.c
@@ -1,10 +1,6 @@
 
 #include <lighttpd/core_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
-
 /* struct stat */
 #define LUA_STAT "struct stat"
 
@@ -211,7 +207,7 @@ static HEDLEY_NEVER_INLINE void init_stat_mt(lua_State *L) {
 }
 
 static void lua_push_stat_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_STAT)) {
+	if (li_lua_new_protected_metatable(L, LUA_STAT)) {
 		init_stat_mt(L);
 	}
 }
diff --git a/src/main/subrequest_lua.c b/src/main/subrequest_lua.c
index 7fc4408..41ed89d 100644
--- a/src/main/subrequest_lua.c
+++ b/src/main/subrequest_lua.c
@@ -2,9 +2,6 @@
 #include <lighttpd/core_lua.h>
 #include <lighttpd/actions_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 typedef struct liSubrequest liSubrequest;
 struct liSubrequest {
 	liWorker *wrk;
@@ -161,7 +158,7 @@ static HEDLEY_NEVER_INLINE void init_subrequest_mt(lua_State *L) {
 }
 
 static void lua_push_subrequest_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_SUBREQUEST)) {
+	if (li_lua_new_protected_metatable(L, LUA_SUBREQUEST)) {
 		init_subrequest_mt(L);
 	}
 }
diff --git a/src/main/value_lua.c b/src/main/value_lua.c
index 3817105..107849f 100644
--- a/src/main/value_lua.c
+++ b/src/main/value_lua.c
@@ -4,8 +4,6 @@
 #include <lighttpd/actions_lua.h>
 #include <lighttpd/core_lua.h>
 
-#include <lauxlib.h>
-
 #define LUA_KVLIST_VALUE "li KeyValue list (string, liValue*)"
 
 static int lua_kvlist_index(lua_State *L) {
@@ -63,7 +61,7 @@ static HEDLEY_NEVER_INLINE void init_kvlist_mt(lua_State *L) {
 }
 
 static void lua_push_kvlist_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_KVLIST_VALUE)) {
+	if (li_lua_new_protected_metatable(L, LUA_KVLIST_VALUE)) {
 		init_kvlist_mt(L);
 	}
 }
diff --git a/src/main/virtualrequest_lua.c b/src/main/virtualrequest_lua.c
index c688c3c..49f3450 100644
--- a/src/main/virtualrequest_lua.c
+++ b/src/main/virtualrequest_lua.c
@@ -2,9 +2,6 @@
 #include <lighttpd/core_lua.h>
 #include <lighttpd/actions_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #define LUA_VREQUEST "liVRequest*"
 
 typedef int (*lua_VRequest_Attrib)(liVRequest *vr, lua_State *L);
@@ -345,7 +342,7 @@ static HEDLEY_NEVER_INLINE void init_vrequest_mt(lua_State *L) {
 }
 
 static void lua_push_vrequest_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_VREQUEST)) {
+	if (li_lua_new_protected_metatable(L, LUA_VREQUEST)) {
 		init_vrequest_mt(L);
 	}
 }
@@ -493,7 +490,7 @@ static HEDLEY_NEVER_INLINE void init_coninfo_mt(lua_State *L) {
 }
 
 static void lua_push_coninfo_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_CONINFO)) {
+	if (li_lua_new_protected_metatable(L, LUA_CONINFO)) {
 		init_coninfo_mt(L);
 	}
 }
diff --git a/src/modules/mod_lua.c b/src/modules/mod_lua.c
index 04d4206..f602e86 100644
--- a/src/modules/mod_lua.c
+++ b/src/modules/mod_lua.c
@@ -18,9 +18,6 @@
 #include <lighttpd/value_lua.h>
 #include <lighttpd/actions_lua.h>
 
-#include <lualib.h>
-#include <lauxlib.h>
-
 #ifndef DEFAULT_LUADIR
 #define DEFAULT_LUADIR "/usr/local/share/lighttpd2/lua"
 #endif
diff --git a/src/modules/mod_memcached.c b/src/modules/mod_memcached.c
index 20ad817..504f34a 100644
--- a/src/modules/mod_memcached.c
+++ b/src/modules/mod_memcached.c
@@ -16,8 +16,6 @@
 
 #ifdef HAVE_LUA_H
 # include <lighttpd/core_lua.h>
-# include <lualib.h>
-# include <lauxlib.h>
 #endif
 
 LI_API gboolean mod_memcached_init(liModules *mods, liModule *mod);
@@ -920,7 +918,7 @@ static HEDLEY_NEVER_INLINE void init_mc_con_mt(lua_State *L) {
 }
 
 static void lua_push_mc_con_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_MEMCACHEDCON)) {
+	if (li_lua_new_protected_metatable(L, LUA_MEMCACHEDCON)) {
 		init_mc_con_mt(L);
 	}
 }
@@ -997,7 +995,7 @@ static HEDLEY_NEVER_INLINE void init_mc_req_mt(lua_State *L) {
 }
 
 static void lua_push_mc_req_metatable(lua_State *L) {
-	if (luaL_newmetatable(L, LUA_MEMCACHEDREQUEST)) {
+	if (li_lua_new_protected_metatable(L, LUA_MEMCACHEDREQUEST)) {
 		init_mc_req_mt(L);
 	}
 }