349 replies to this topic

[theoriginalbit]

Made some changes to OP and updated some details in Graphics Library.

[theoriginalbit]

Updated CConfig
v1.2

• Fixed boolean values, can now use true/false, yes/no, 1/0 to represent a boolean
  
• Added function addRestrictionForKey
  
• Added function getColor, supports colors.white or 1 in the configs to specify a color, if you wish default value to say the colors.<value>, then specify the default as "colors.<value>" it will convert in code
  
• Added function getColour, same as above but support for all us people that don't speak American English
  
• Updated the basic example code to reflect these changes

See OP for more details

[theoriginalbit]

Wow that was bad!!!!

Quick Security Patch to CConfig

Now sanitising the colour input from the config file. User should have originally injected some very bad things into the config file. this is now FIXED!

The user can now enter colours like so

For light blue:
8
colors.lightBlue
lightBlue
light blue

any of the text versions can allow any case, so it could also be
ColOrs.LIGhtbLuE
and it would still work

[superaxander]

What do you mean with bad things

[KaoS]

I'm guessing he used loadstring on some of the parts of the config file so loadstring("return "..string.lower(yourvalue))() would return true if yourvalue is "true" etc but then you can make yourvalue "(function() for k,v in pairs(fs.list('')) do fs.delete(v) end end)()" and loading the config file would format your pc...

EDIT: NINJAAAA

Edited by KaoS, 15 February 2013 - 02:29 AM.

[theoriginalbit]

Yep another update.

Just realised that there was a function I forgot to add in before updating before, its now in, its Configuration.reset see OP for more details

superaxander, on 15 February 2013 - 02:20 AM, said:

What do you mean with bad things

well lets say in code you have

bgcolor = conf:getColor("backgroundColor", colors.black)

and they then change the config. to be this

backgroundColor=true for _,v in pairs(fs.list"/") do fs.delete(v) end

it would have actually run that code. ergo the user could have injected into the program some very bad things.
in any case its now fixed

EDIT: damn ninja'd by KaoS. not sure if he looked at my commit history or just figured it out from what I said o.O

Edited by TheOriginalBIT, 15 February 2013 - 02:27 AM.

[KaoS]

it was actually just a total guess... in my exploitations of similar programs I learned that is the most common error made in these kind of programs

[superaxander]

But what if I want to store someone's custom script. Would that work?

[theoriginalbit]

KaoS, on 15 February 2013 - 02:37 AM, said:

it was actually just a total guess... in my exploitations of similar programs I learned that is the most common error made in these kind of programs

Yeh, I had a momentary lapse in judgement and wanted to make it easier for me to code but in the end it works out better anyways 'cause now the user can enter the colour via a multitude of ways, and doesn't rely on them using colors.x

superaxander, on 15 February 2013 - 02:38 AM, said:

But what if I want to store someone's custom script. Would that work?

Nope its a configuration file. If you want to store a script you would use your own file for that. But before the bug fix yeh you could have, you could have exploited the bug and told it to load from the config the script using getColour. but not anymore.

Edited by TheOriginalBIT, 15 February 2013 - 02:45 AM.

[KaoS]

well I will take a look at your script and see if there is any other exploits available

[theoriginalbit]

KaoS, on 15 February 2013 - 02:46 AM, said:

well I will take a look at your script and see if there is any other exploits available

There shouldn't be, as everything else is validated, and there is no loadstring's used else where. but that would be great. thanx

[superaxander]

What are the criteria for a value to be disabled?

[theoriginalbit]

superaxander, on 15 February 2013 - 02:49 AM, said:

What are the criteria for a value to be disabled?

What do you mean?

[superaxander]

TheOriginalBIT, on 15 February 2013 - 02:51 AM, said:

superaxander, on 15 February 2013 - 02:49 AM, said:

What are the criteria for a value to be disabled?

What do you mean?

What is not allowed to be put in a field as value

[theoriginalbit]

superaxander, on 15 February 2013 - 03:09 AM, said:

What is not allowed to be put in a field as value

Ahh ok. Well as I'm pretty sure I outlined in the OP.

getNumber

• default must be a number
  
• config file must be a number

getString

• default must be a string
  
• config allows anything since a file is a string

getBoolean

• default can be true/false, "true"/"false", "yes"/"no" (inspired from Objective-C), "1"/"0" or finally 1/0 ... where the value to the left of the / is true, and to the right is false
  
• config can be true/false, yes/no or 1/0 (since the file is string, no need for the other variations)

getColor/getColour

• default can be (here goes, this is going to be fun)

• colors.white to colors.black
  
• colours.white to colours.black
  
• "colors.white" to "colors.black"
  
• "colours.white" to "colours.black"
  
• "white" to "black"
  
• "colors.gray" or "colours.gray"
  
• "colors.grey" or "colours.grey"
  
• "grey" or "gray"
  
• "colors.lightGray" or "colours.lightGray"
  
• "colors.lightGrey" or "colours.lightGrey"
  
• "lightblue" or "light blue"
  
• "lightgray" or "light gray"
  
• "lightgrey" or "light grey"
  
• the above with ANY combination of capital letters
  
• A number 1-65535

• config file is pretty much the same as above, just obviously except the first 2 since the first 2 are variables that reference a number.

Phew thats it i think. I actually added some in while I was typing this as I realised I forgot it.

[superaxander]

So with getString I could after that run the string myself?

[theoriginalbit]

superaxander, on 15 February 2013 - 03:34 AM, said:

So with getString I could after that run the string myself?

Yeh i guess you could have

local config = CConfig.new("config.cfg")
config:load()
local script = config:getString("customScript", "return nil")
config:save()
loadstring(script)()

but this, without sanitising the string, adds exploits, so I do suggest against using it in this way, but it is possible to do.

[superaxander]

Yeah I was planning to do that.

EDIT: to do the check if that wasn't clear

[theoriginalbit]

superaxander, on 15 February 2013 - 03:48 AM, said:

Yeah I was planning to do that.

then if your planning to sanitise the string before attempting the loadstring, then yeh just just getString.

[theoriginalbit]

Sneak Peek!

Hey guys,

Here is a sneak peek of just some of what I have been working on over the past few days on CCTube.

Spoiler