diff options
Diffstat (limited to 'contrib/libucl/lua_ucl.c')
| -rw-r--r-- | contrib/libucl/lua_ucl.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/contrib/libucl/lua_ucl.c b/contrib/libucl/lua_ucl.c index 473aefe0c..13306b942 100644 --- a/contrib/libucl/lua_ucl.c +++ b/contrib/libucl/lua_ucl.c @@ -1,5 +1,5 @@ /* - * Copyright 2024 Vsevolod Stakhov + * Copyright 2025 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -694,7 +694,13 @@ static int lua_ucl_parser_init(lua_State *L) { struct ucl_parser *parser, **pparser; - int flags = UCL_PARSER_NO_FILEVARS; + /* + * We disable file variables and macros by default, as + * the most use cases are parsing of JSON and not of the real + * files. Macros in the parser are very dangerous and should be used + * for trusted data only. + */ + int flags = UCL_PARSER_SAFE_FLAGS; if (lua_gettop(L) >= 1) { flags = lua_tonumber(L, 1); @@ -1091,7 +1097,7 @@ lua_ucl_parser_validate(lua_State *L) } } else if (lua_type(L, 2) == LUA_TSTRING) { - schema_parser = ucl_parser_new(0); + schema_parser = ucl_parser_new(UCL_PARSER_SAFE_FLAGS); schema_file = luaL_checkstring(L, 2); if (!ucl_parser_add_file(schema_parser, schema_file)) { |