Extend the first CVE-2018-1999023 unit test to also try loadstring()

Like @gfgtdf pointed out, loadstring() is still supported by Lua in the name of backwards compatibility, even though it was deprecated in Lua 5.2 and is no longer mentioned in Lua manual. Thus, as of committing this it's actually possible to load Lua bytecode. Let's unit test this to ensure that we don't reintroduce this vulnerability.
2018-07-28 07:38:00 +03:00 · 2018-07-28 07:38:00 +03:00 · aa73b83600
commit aa73b83600
parent d13c451afb
1 changed files with 15 additions and 9 deletions
--- a/data/test/scenarios/test_cve_2018_1999023.cfg
+++ b/data/test/scenarios/test_cve_2018_1999023.cfg
@ -7,20 +7,26 @@
    [/lua]
    [lua]
        code = <<
-		local function f1()
-			bytecode_executed = true
-		end
-		local f2, err = load(string.dump(f1))
-		if f2 then
-			f2()
-		end
-		>>
+            local function f1()
+                bytecode_executed = true
+            end
+            local f2, err = load(string.dump(f1))
+            if f2 then
+                f2()
+            end
+            pcall(function()
+                f2, err = loadstring(string.dump(f1))
+                if f2 then
+                    f2()
+                end
+            end)
+        >>
    [/lua]
    [event]
        name = prestart
        [lua]
        code = <<
-			wml.variables["execution_prevented"] = not rawget(_G, "bytecode_executed")
+            wml.variables["execution_prevented"] = not rawget(_G, "bytecode_executed")
        >>
        [/lua]
        {ASSERT ({VARIABLE_CONDITIONAL execution_prevented equals yes})}