[wesnoth-commits] [wesnoth/wesnoth] aa73b8: Extend the first CVE-2018-1999023 unit test to als...
GitHub
noreply at github.com
Sat Jul 28 05:19:27 UTC 2018
Branch: refs/heads/master
Home: https://github.com/wesnoth/wesnoth
Commit: aa73b836009ca98cade2d0dfca6b99cbf8d19e76
https://github.com/wesnoth/wesnoth/commit/aa73b836009ca98cade2d0dfca6b99cbf8d19e76
Author: Jyrki Vesterinen <sandgtx at gmail.com>
Date: 2018-07-28 (Sat, 28 Jul 2018)
Changed paths:
M data/test/scenarios/test_cve_2018_1999023.cfg
Log Message:
-----------
Extend the first CVE-2018-1999023 unit test to also try loadstring()
Like @gfgtdf pointed out, loadstring() is still supported by Lua in the
name of backwards compatibility, even though it was deprecated in Lua 5.2
and is no longer mentioned in Lua manual. Thus, as of committing this it's
actually possible to load Lua bytecode.
Let's unit test this to ensure that we don't reintroduce this
vulnerability.
Commit: 6450bada57f95af55c490f9d7601ef5e073cdaf1
https://github.com/wesnoth/wesnoth/commit/6450bada57f95af55c490f9d7601ef5e073cdaf1
Author: Jyrki Vesterinen <sandgtx at gmail.com>
Date: 2018-07-28 (Sat, 28 Jul 2018)
Changed paths:
M src/scripting/lua_kernel_base.cpp
Log Message:
-----------
Lua: delete loadstring()
Fixes the vulnerability introduced in commit 52ae31efb21b31f5bb0763d1da24709e90393c59.
Commit: 74d8cfa98e0f61ee22a536fc06c2019c9c89aede
https://github.com/wesnoth/wesnoth/commit/74d8cfa98e0f61ee22a536fc06c2019c9c89aede
Author: Jyrki Vesterinen <sandgtx at gmail.com>
Date: 2018-07-28 (Sat, 28 Jul 2018)
Changed paths:
M run_wml_tests
Log Message:
-----------
WML unit tests: port ability to override strict mode from 1.14
The ability isn't needed in master because none of the unit tests call
deprecated functions here, but it may be useful in the future or make
cherry-picking of future changes easier.
Compare: https://github.com/wesnoth/wesnoth/compare/d13c451afb54...74d8cfa98e0f
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the Commits
mailing list