From 46d91df2a8303087ff211a3366660a6bd6e799d9 Mon Sep 17 00:00:00 2001 From: Sean Dague Date: Tue, 27 May 2008 22:25:14 +0000 Subject: another take on the whole string cleansing, by adding specific poison keywords in foo.bar strings. Add items to the poison array to block them. --- .../ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL') diff --git a/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs b/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs index d132f8c..5d51898 100644 --- a/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs +++ b/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs @@ -116,8 +116,11 @@ namespace OpenSim.Region.ScriptEngine.DotNetEngine.Compiler.LSL // ignores alpha.x alpha.y, alpha.z for refering to vector components Match SecurityM; - // BROKEN: this check is very wrong. It block's any url in strings. - SecurityM = Regex.Match(checkscript, @"(?:[a-zA-Z])\.(?:[a-wA-Z]|[a-zA-Z][a-zA-Z])", RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.Singleline); + // Instead of blocking all foo.bar values, block only the ones that will hit + // namespaces we don't like. To add more of these bad namespaces at them + // to the poison array. + String[] poison = {"System"}; + SecurityM = Regex.Match(checkscript, @"(" + String.Join("|", poison) + @")\.(?:[a-wA-Z]|[a-zA-Z][a-zA-Z])", RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.Singleline); if (SecurityM.Success) throw new Exception("CS0103: 'The . symbol cannot be used in LSL except in float values or vector components'"); -- cgit v1.1