BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services

It was already forbidden to use HTTP sample fetch functions from lua
services. An error is triggered if it happens. However, the error must be
extended to any L6/L7 sample fetch functions.

Indeed, a lua service is an applet. It totally unexepected for an applet to
access to input data in a channel's buffer. These data have not been
analyzed yet and are still subject to any change. An applet, lua or not,
must never access to "not forwarded" data. Only output data are
available. For now, if a lua applet relies on any L6/L7 sampel fetch
functions, the behavior is undefined and not consistent.

So to fix the issue, hlua flag HLUA_F_MAY_USE_HTTP is renamed to
HLUA_F_MAY_USE_CHANNELS_DATA. This flag is used to prevent any lua applet to
use L6/L7 sample fetch functions.

This patch could be backported to all stable versions.

diff --git a/include/haproxy/hlua-t.h b/include/haproxy/hlua-t.h
index ed2cfad750d378a49155c6ad4a124605ee4caeb7..9716868f8af622e761d79f7716d5d7ac2d2cd42f 100644 (file)
--- a/include/haproxy/hlua-t.h
+++ b/include/haproxy/hlua-t.h
@@ -72,8 +72,8 @@ struct stream;
 #define HLUA_NOYIELD   0x00000020
 #define HLUA_BUSY      0x00000040
 
-#define HLUA_F_AS_STRING    0x01
-#define HLUA_F_MAY_USE_HTTP 0x02
+#define HLUA_F_AS_STRING             0x01
+#define HLUA_F_MAY_USE_CHANNELS_DATA 0x02
 
 /* HLUA TXN flags */
 #define HLUA_TXN_NOTERM   0x00000001

diff --git a/src/hlua.c b/src/hlua.c
index d4734e0af22783451294dc3d2911b3a560e475da..48acc0b79a19918ccc4ec3c6cc0b86cb9ea11060 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -4907,10 +4907,10 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L)
        hsmp = MAY_LJMP(hlua_checkfetches(L, 1));
 
        /* Check execution authorization. */
-       if (f->use & SMP_USE_HTTP_ANY &&
-           !(hsmp->flags & HLUA_F_MAY_USE_HTTP)) {
-               lua_pushfstring(L, "the sample-fetch '%s' needs an HTTP parser which "
-                                  "is not available in Lua services", f->kw);
+       if ((f->use & (SMP_USE_L6REQ|SMP_USE_L6RES|SMP_USE_HTTP_ANY)) &&
+           !(hsmp->flags & HLUA_F_MAY_USE_CHANNELS_DATA)) {
+               lua_pushfstring(L, "the sample-fetch '%s' needs to access data from channel's buffer which"
+                               " is not available in Lua services", f->kw);
                WILL_LJMP(lua_error(L));
        }
 
@@ -8588,13 +8588,13 @@ __LJMP static int hlua_txn_new(lua_State *L, struct stream *s, struct proxy *p,
 
        /* Create the "f" field that contains a list of fetches. */
        lua_pushstring(L, "f");
-       if (!hlua_fetches_new(L, htxn, HLUA_F_MAY_USE_HTTP))
+       if (!hlua_fetches_new(L, htxn, HLUA_F_MAY_USE_CHANNELS_DATA))
                return 0;
        lua_rawset(L, -3);
 
        /* Create the "sf" field that contains a list of stringsafe fetches. */
        lua_pushstring(L, "sf");
-       if (!hlua_fetches_new(L, htxn, HLUA_F_MAY_USE_HTTP | HLUA_F_AS_STRING))
+       if (!hlua_fetches_new(L, htxn, HLUA_F_MAY_USE_CHANNELS_DATA | HLUA_F_AS_STRING))
                return 0;
        lua_rawset(L, -3);