Extend the first CVE-2018-1999023 unit test to also try loadstring()

Like @gfgtdf pointed out, loadstring() is still supported by Lua in the name of backwards compatibility, even though it was deprecated in Lua 5.2 and is no longer mentioned in Lua manual. Thus, as of committing this it's actually possible to load Lua bytecode. Let's unit test this to ensure that we don't reintroduce this vulnerability. (cherry-picked from commit aa73b83600)
2018-07-28 07:38:00 +03:00 · 2018-07-28 07:38:00 +03:00 · 21999b1fc9
commit 21999b1fc9
parent 912dfcc9e6
1 changed files with 15 additions and 9 deletions
--- a/data/test/scenarios/test_cve_2018_1999023.cfg
+++ b/data/test/scenarios/test_cve_2018_1999023.cfg
@ -7,20 +7,26 @@
    [/lua]
    [lua]
        code = <<
-		local function f1()
-			bytecode_executed = true
-		end
-		local f2, err = load(string.dump(f1))
-		if f2 then
-			f2()
-		end
-		>>
+            local function f1()
+                bytecode_executed = true
+            end
+            local f2, err = load(string.dump(f1))
+            if f2 then
+                f2()
+            end
+            pcall(function()
+                f2, err = loadstring(string.dump(f1))
+                if f2 then
+                    f2()
+                end
+            end)
+        >>
    [/lua]
    [event]
        name = prestart
        [lua]
        code = <<
-			wml.variables["execution_prevented"] = not rawget(_G, "bytecode_executed")
+            wml.variables["execution_prevented"] = not rawget(_G, "bytecode_executed")
        >>
        [/lua]
        {ASSERT ({VARIABLE_CONDITIONAL execution_prevented equals yes})}