another take on the whole string cleansing, by adding specific poison

keywords in foo.bar strings. Add items to the poison array to block them.
2008-05-27 22:25:14 +00:00 · 2008-05-27 22:25:14 +00:00 · 46d91df2a8
parent 7a77a069dd
commit 46d91df2a8
1 changed files with 5 additions and 2 deletions
--- a/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs
+++ b/OpenSim/Region/ScriptEngine/DotNetEngine/Compiler/LSL/LSL2CSConverter.cs
@ -116,8 +116,11 @@ namespace OpenSim.Region.ScriptEngine.DotNetEngine.Compiler.LSL
            // ignores alpha.x alpha.y, alpha.z for refering to vector components
            Match SecurityM;

-            // BROKEN: this check is very wrong.  It block's any url in strings.
-            SecurityM = Regex.Match(checkscript, @"(?:[a-zA-Z])\.(?:[a-wA-Z]|[a-zA-Z][a-zA-Z])", RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.Singleline);
+            // Instead of blocking all foo.bar values, block only the ones that will hit 
+            // namespaces we don't like.  To add more of these bad namespaces at them
+            // to the poison array.
+            String[] poison = {"System"};
+            SecurityM = Regex.Match(checkscript, @"(" + String.Join("|", poison) + @")\.(?:[a-wA-Z]|[a-zA-Z][a-zA-Z])", RegexOptions.Compiled | RegexOptions.Multiline | RegexOptions.Singleline);
            if (SecurityM.Success)
               throw new Exception("CS0103: 'The . symbol cannot be used in LSL except in float values or vector components'");