-- SecureHandlers.lua (Part of the Secure Handlers implementation)
--
-- Lua code to support the various handlers and templates which can execute
-- code in a secure, but restricted, environment.
--
-- Daniel Stephens (iriel@vigilance-committee.org)
-- Nevin Flanagan (alestane@comcast.net)
---------------------------------------------------------------------------
-- Local references to things so that they can't be subverted
local error = error;
local forceinsecure = forceinsecure;
local geterrorhandler = geterrorhandler;
local issecure = issecure;
local newproxy = newproxy;
local pcall = pcall;
local securecall = securecall;
local select = select;
local tostring = tostring;
local type = type;
local wipe = wipe;
local GetCursorInfo = GetCursorInfo;
local InCombatLockdown = InCombatLockdown;
local CallRestrictedClosure = CallRestrictedClosure;
local GetFrameHandle = GetFrameHandle;
local GetManagedEnvironment = GetManagedEnvironment;
-- SoftError(message)
-- Report an error message without stopping execution
local function SoftError_inner(message)
local func = geterrorhandler();
func(message);
end
local function SoftError(message)
securecall(pcall, SoftError_inner, message);
end
---------------------------------------------------------------------------
-- Standard invocation for header executions and child executions
local function SecureHandler_Self_Execute(self, signature, body, ...)
if (type(body) ~= "string") then return; end
local selfHandle = GetFrameHandle(self, true);
if (not selfHandle) then
error("Invalid 'self' frame handle");
return;
end
local environment = GetManagedEnvironment(self, true);
return CallRestrictedClosure(signature, environment, selfHandle,
body, selfHandle, ...);
end
local function SecureHandler_Other_Execute(header, self, signature, body, ...)
if (type(body) ~= "string") then return; end
local controlHandle = GetFrameHandle(header, true);
if (not controlHandle) then
return( error("Invalid 'header' frame handle") );
end
local selfHandle = GetFrameHandle(self, true);
if (not selfHandle) then return; end
local environment = GetManagedEnvironment(header, true);
return CallRestrictedClosure(signature, environment, controlHandle,
body, selfHandle, ...);
end
---------------------------------------------------------------------------
-- Script handlers for various header templates
function SecureHandler_OnSimpleEvent(self, snippetAttr)
local body = self:GetAttribute(snippetAttr);
if (body) then
SecureHandler_Self_Execute(self, "self", body);
end
end
function SecureHandler_OnClick(self, snippetAttr, button, down)
local body = self:GetAttribute(snippetAttr);
if (body) then
SecureHandler_Self_Execute(self, "self,button,down",
body, button, down);
end
end
function SecureHandler_OnMouseUpDown(self, snippetAttr, button)
local body = self:GetAttribute(snippetAttr);
if (body) then
SecureHandler_Self_Execute(self, "self,button", body, button);
end
end
function SecureHandler_OnMouseWheel(self, snippetAttr, delta)
local body = self:GetAttribute(snippetAttr);
if (body) then
SecureHandler_Self_Execute(self, "self,delta", body, delta);
end
end
function SecureHandler_StateOnAttributeChanged(self, name, value)
local stateid = name:match("^state%-(.+)");
if (stateid) then
local body = self:GetAttribute("_onstate-" .. stateid);
if (body) then
SecureHandler_Self_Execute(self, "self,stateid,newstate",
body, stateid, value);
end
end
end
function SecureHandler_AttributeOnAttributeChanged(self, name, value)
if (name:match("^_")) then
return;
end;
local body = self:GetAttribute("_onattributechanged");
if (body) then
SecureHandler_Self_Execute(self, "self,name,value",
body, name, value);
end
end
local function PickupAny(kind, target, detail, ...)
if (kind == "clear") then
ClearCursor();
kind, target, detail = target, detail, ...;
end
if kind == 'action' then
PickupAction(target);
elseif kind == 'bag' then
PickupBagFromSlot(target)
elseif kind == 'bagslot' then
PickupContainerItem(target, detail)
elseif kind == 'inventory' then
PickupInventoryItem(target)
elseif kind == 'item' then
PickupItem(target)
elseif kind == 'macro' then
PickupMacro(target)
elseif kind == 'merchant' then
PickupMerchantItem(target)
elseif kind == 'petaction' then
PickupPetAction(target)
elseif kind == 'money' then
PickupPlayerMoney(target)
elseif kind == 'spell' then
PickupSpell(target)
elseif kind == 'companion' then
PickupCompanion(target, detail)
elseif kind == 'equipmentset' then
PickupEquipmentSet(target);
end
end
function SecureHandler_OnDragEvent(self, snippetAttr, button)
local body = self:GetAttribute(snippetAttr);
if (body) then
PickupAny( SecureHandler_Self_Execute(self,
"self,button,kind,value,...",
body, button, GetCursorInfo()) );
end
end
---------------------------------------------------------------------------
-- "Wrap" handlers for alternate dispatch on various conditions
-- such as OnClick, used for child handlers
--
-- All wrappers use ... to make sure the original handler gets all of
-- its arguments even if WoW is updated and this file is missed.
-- 'Marker object' used to trigger unwrap of wrap closure
local MAGIC_UNWRAP = newproxy();
local LOCAL_Wrapped_Handlers = {};
setmetatable(LOCAL_Wrapped_Handlers, { __mode = "k"; });
-- Create a closure to hold the data for a specific wrap
local function CreateWrapClosure(handler, header, preBody, postBody)
local wrap;
if (postBody) then
wrap = function(self, ...)
if (self == MAGIC_UNWRAP) then
return header, preBody, postBody;
end
return handler(self, header, preBody, postBody, wrap, ...);
end
else
wrap = function(self, ...)
if (self == MAGIC_UNWRAP) then
return header, preBody, nil;
end
return handler(self, header, preBody, nil, wrap, ...);
end
end
return wrap;
end
-- Save a hander against a specific wrap (securecall'ed for protection)
local function SaveWrapHandler(frame, script, wrap)
LOCAL_Wrapped_Handlers[wrap] = frame:GetScript(script) or false;
end
-- Restore a hander from a specific wrap (securecall'ed for protection)
local function RestoreWrapHandler(frame, script, wrap)
local old = LOCAL_Wrapped_Handlers[wrap];
if (old == nil) then return; end
if (old == false) then old = nil; end
frame:SetScript(script, old);
return true;
end
-- Create a new handler wrapper and configure it
--
-- frame - the frame that has the script
-- script - the script name (such as OnClick)
-- header - the secure header that owns the 'wrap'
-- handler - the handler function that will process the event
-- preBody - the snippet to execute before the wrapped handler
-- postBody (optional) - the snippet to execute after the wrapped handler
--
-- The resulting closure is called as (self, ...)
--
-- The handler is invoked with (self, header, preBody, postBody, wrap, ...)
-- where 'wrap' is the wrap closure itself (also the key to the wrapped
-- handlers table)
local function CreateWrapper(frame, script, header, handler, preBody, postBody)
local wrap = CreateWrapClosure(handler, header, preBody, postBody);
securecall(SaveWrapHandler, frame, script, wrap);
return wrap;
end
-- Reverse the wrap process, restoring the wrapped handler (does nothing
-- if the current handler is not wrapped)
local function RemoveWrapper(frame, script)
local wrap = frame:GetScript(script);
if (not issecure()) then
-- not valid
return;
end
if (not securecall(RestoreWrapHandler, frame, script, wrap)) then
-- not valid
return;
end
-- Extract header, preBody, postBody
return wrap(MAGIC_UNWRAP);
end
-- Invoke the wrapped handler for a wrapper, passing in all arguments
local function SafeCallWrappedHandler(frame, wrap, ...)
local handler = LOCAL_Wrapped_Handlers[wrap];
if (type(handler) == "function") then
local ok, err = pcall(handler, frame, ...);
if (not ok) then
SoftError(err);
end
end
end
-- Check that a given frame is eligible for wrapped execution
local function IsWrapEligible(frame)
return (not InCombatLockdown()) or frame:IsProtected();
end
-- Wrapper handler for clicks
local function Wrapped_Click(self, header, preBody, postBody, wrap,
button, down, ...)
local message, newbutton;
if ( IsWrapEligible(self) ) then
newbutton, message =
SecureHandler_Other_Execute(header, self,
"self,button,down", preBody,
button, down);
if (newbutton == false) then
return;
end
if (newbutton) then
button = tostring(newbutton);
end
end
securecall(SafeCallWrappedHandler, self, wrap, button, down, ...);
if (postBody and message ~= nil) then
SecureHandler_Other_Execute(header, self,
"self,message,button,down",
postBody,
message, button, down);
end;
end
local function Wrapped_OnEnter(self, header, preBody, postBody, wrap,
motion, ...)
local allow, message;
if ( motion ) then
self:SetAttribute("_wrapentered", true);
if ( IsWrapEligible(self) ) then
allow, message =
SecureHandler_Other_Execute(header, self, "self",
preBody);
end
if (allow == false) then
return;
end
end
securecall(SafeCallWrappedHandler, self, wrap, motion, ...);
if (postBody and message ~= nil) then
SecureHandler_Other_Execute(header, self, "self,message",
postBody, message);
end
end
local function Wrapped_OnLeave(self, header, preBody, postBody, wrap,
motion, ...)
local allow, message;
if ( motion and self:GetAttribute("_wrapentered")) then
self:SetAttribute("_wrapentered", nil);
if ( IsWrapEligible(self) ) then
allow, message =
SecureHandler_Other_Execute(header, self, "self",
preBody);
if (allow == false) then
return;
end
end
end
securecall(SafeCallWrappedHandler, self, wrap, motion, ...);
if (postBody and message ~= nil) then
SecureHandler_Other_Execute(header, self, "self,message",
postBody, message);
end
end
local function CreateSimpleWrapper(beforeSignature, afterSignature)
return function(self, header, preBody, postBody, wrap,
...)
local allow, message;
if ( IsWrapEligible(self) ) then
allow, message =
SecureHandler_Other_Execute(header,
self, beforeSignature,
preBody, ...);
if (allow == false) then
return;
end
end
securecall(SafeCallWrappedHandler, self, wrap, ...);
if ( postBody and message ~= nil ) then
SecureHandler_Other_Execute(header,
self, afterSignature,
postBody, message, ...);
end
end;
end
local Wrapped_ShowHide = CreateSimpleWrapper("self", "self,message");
local Wrapped_MouseWheel = CreateSimpleWrapper("self,offset",
"self,message,offset");
local function Wrapped_Drag(self, header, preBody, postBody, wrap, ...)
local message;
if ( IsWrapEligible(self) ) then
local selfHandle = GetFrameHandle(self, true);
if (selfHandle) then
local environment = GetManagedEnvironment(header, true);
local controlHandle = GetFrameHandle(header, true, true);
local button = ...;
local pickupType, target, x1, x2, x3 =
CallRestrictedClosure("self,button,kind,value,...",
environment,
control, preBody,
selfHandle, button,
GetCursorInfo());
if (pickupType == false) then
return;
elseif (pickupType == "message") then
message = target;
elseif (pickupType) then
PickupAny(pickupType, target, x1, x2, x3);
return;
end
end
end
securecall(SafeCallWrappedHandler, self, wrap, ...);
if ( postBody and message ~= nil ) then
SecureHandler_Other_Execute(header, self,
"self,message,button",
postBody, message, ...);
end
end
local function Wrapped_Attribute(self, header, preBody, postBody, wrap,
name, value, ...)
local allow, message;
if ( (not name:match("^_")) and IsWrapEligible(self) ) then
allow, message =
SecureHandler_Other_Execute(header, self,
"self,name,value", preBody,
name, value);
if (allow == false) then
return;
end
end
securecall(SafeCallWrappedHandler, self, wrap, name, value, ...);
if ( postBody and message ~= nil ) then
SecureHandler_Other_Execute(header, self,
"self,message,name,value",
postBody, message, name, value);
end
end
local LOCAL_Wrap_Handlers = {
OnClick = Wrapped_Click;
OnDoubleClick = Wrapped_Click;
PreClick = Wrapped_Click;
PostClick = Wrapped_Click;
OnEnter = Wrapped_OnEnter;
OnLeave = Wrapped_OnLeave;
OnShow = Wrapped_ShowHide;
OnHide = Wrapped_ShowHide;
OnDragStart = Wrapped_Drag;
OnReceiveDrag = Wrapped_Drag;
OnMouseWheel = Wrapped_MouseWheel;
OnAttributeChanged = Wrapped_Attribute;
};
---------------------------------------------------------------------------
-- External API helpers, all are driven off a single control frame
-- using OnAttributeChanged.
-- Quick sanity check that a frame looks like a frame
local function IsValidFrame(frame)
return (type(frame) == "table") and (type(frame[0]) == "userdata");
end
-- 'Action' handler for most of the API methods, invoked somewhat indirectly
-- via attribute sets so as to allow secure execution (doesn't work from
-- combat for user code (or indeed for any code))
local function API_OnAttributeChanged(self, name, value)
if (value == nil) then
return;
end
if (InCombatLockdown()) then
-- This shouldn't ever happen because API frame is protected,
-- but just in case someone does something silly...
error("Cannot use SecureHandlers API during combat");
return;
end
-- _execute runs code in the context of a header
if (name == "_execute") then
local frame = self:GetAttribute("_apiframe");
self:SetAttribute("_execute", nil);
if (type(value) ~= "string") then
error("Invalid execute body");
return;
end
-- Most validation is performed by SecureHandler_Self_Execute
SecureHandler_Self_Execute(frame, "self", value);
return;
end
-- _wrap wraps a script handler in a secure wrapper
if (name == "_wrap") then
local frame = self:GetAttribute("_apiframe");
local header = self:GetAttribute("_apiheader");
local preBody = self:GetAttribute("_apiprebody");
local postBody = self:GetAttribute("_apipostbody");
self:SetAttribute("_wrap", nil);
if (type(value) ~= "string") then
error("Invalid wrap script id");
end
if (not IsValidFrame(frame)) then
error("Invalid wrap frame");
end
if (not IsValidFrame(header)) then
error("Invalid header frame");
end
if (type(preBody) ~= "string") then
error("Invalid pre-handler body");
end
if (postBody ~= nil and type(postBody) ~= "string") then
error("Invalid post-handler body");
end
if (not select(2, header:IsProtected())) then
error("Header frame must be explicitly protected");
end
local script = value;
if (not frame:HasScript(script)) then
error("Frame does not support script '" .. script .. "'");
end
if (not issecure()) then
error("Wrap frame cannot be used");
end
local handler = LOCAL_Wrap_Handlers[value];
if (not handler) then
error("Unsupported script type '" .. value .. "'");
end
local wrapper = CreateWrapper(frame, value, header,
handler, preBody, postBody);
frame:SetScript(script, wrapper);
return;
end
-- _unwrap restores a previously wrapped handler
if (name == "_unwrap") then
local frame = self:GetAttribute("_apiframe");
local data = self:GetAttribute("_apidata");
if (data) then
self:SetAttribute("_apidata", nil);
end
self:SetAttribute("_unwrap", nil);
if (type(value) ~= "string") then
error("Invalid unwrap script id");
end
if (not IsValidFrame(frame)) then
error("Invalid unwrap frame");
end
local script = value;
if (not frame:HasScript(script)) then
error("Frame does not support script '" .. script .. "'");
end
local header, preBody, postBody = RemoveWrapper(frame, script);
if (type(data) == "table") then
forceinsecure();
wipe(data);
data[1] = frame;
data[2] = script;
data[3] = header;
data[4] = preBody;
data[5] = postBody;
end
return;
end
-- _frame-<label> creates a frame reference
local frameid = name:match("^_frame%-(.+)");
if (frameid) then
local frame = self:GetAttribute("_apiframe");
self:SetAttribute(name, nil);
if (not IsValidFrame(frame)) then
error("Invalid destination frame");
return;
end
if (not IsValidFrame(value)) then
error("Invalid referenced frame");
return;
end
local refid = "frameref-" .. frameid;
local handle = GetFrameHandle(value);
frame:SetAttribute(refid, handle);
return;
end
end
-- Frame used as both an attribute repository for API functions as well
-- as the OnUpdate timer source for timer and OnUpdate dispatch
local LOCAL_API_Frame = CreateFrame("Frame", "SecureHandlersUpdateFrame",
nil, "SecureFrameTemplate");
LOCAL_API_Frame:SetScript("OnAttributeChanged", API_OnAttributeChanged);
-- Wrap the script on a frame to invoke snippets against a header
function SecureHandlerWrapScript(frame, script, header, preBody, postBody)
if (not IsValidFrame(frame)) then
error("Invalid frame");
return;
end
if (type(script) ~= "string") then
error("Invalid script id");
return;
end
if (header and not IsValidFrame(header)) then
error("Invalid header frame");
return;
end
if (not select(2, header:IsProtected())) then
error("Header frame must be explicitly protected");
return;
end
if (type(preBody) ~= "string") then
error("Invalid pre-handler body");
return;
end
if (postBody ~= nil and type(postBody) ~= "string") then
error("Invalid post-handler body");
return;
end
LOCAL_API_Frame:SetAttribute("_apiframe", frame);
LOCAL_API_Frame:SetAttribute("_apiheader", header);
LOCAL_API_Frame:SetAttribute("_apiprebody", preBody);
LOCAL_API_Frame:SetAttribute("_apipostbody", postBody);
LOCAL_API_Frame:SetAttribute("_wrap", script);
end
local UNWRAP_TEMP_TABLE = {};
-- Remove previously applied wrapping, returning its details
function SecureHandlerUnwrapScript(frame, script)
if (not IsValidFrame(frame)) then
error("Invalid frame");
end
if (type(script) ~= "string") then
error("Invalid script id");
end
wipe(UNWRAP_TEMP_TABLE);
UNWRAP_TEMP_TABLE[1] = false;
LOCAL_API_Frame:SetAttribute("_apiframe", frame);
LOCAL_API_Frame:SetAttribute("_apidata", UNWRAP_TEMP_TABLE);
LOCAL_API_Frame:SetAttribute("_unwrap", script);
local chkFrame = UNWRAP_TEMP_TABLE[1];
local chkScript = UNWRAP_TEMP_TABLE[2];
local header = UNWRAP_TEMP_TABLE[3];
local preBody = UNWRAP_TEMP_TABLE[4];
local postBody = UNWRAP_TEMP_TABLE[5];
if ((chkFrame ~= frame) or (chkScript ~= script)) then
error("Unable to retrieve unwrap results");
return;
end
wipe(UNWRAP_TEMP_TABLE);
return header, preBody, postBody;
end
-- Execute a snippet against a header frame
function SecureHandlerExecute(frame, body)
if (not IsValidFrame(frame)) then
error("Invalid header frame");
return;
end
if (not select(2, frame:IsProtected())) then
error("Header frame must be explicitly protected");
return;
end
if (type(body) ~= "string") then
error("Invalid body");
return;
end
LOCAL_API_Frame:SetAttribute("_apiframe", frame);
LOCAL_API_Frame:SetAttribute("_execute", body);
end
-- Create a frame handle reference and store it against a frame
function SecureHandlerSetFrameRef(frame, label, refFrame)
if (not IsValidFrame(frame)) then
error("Invalid frame");
return;
end
if (type(label) ~= "string") then
error("Invalid body");
return;
end
if (not IsValidFrame(refFrame)) then
error("Invalid reference frame");
return;
end
LOCAL_API_Frame:SetAttribute("_apiframe", frame);
LOCAL_API_Frame:SetAttribute("_frame-" .. label, refFrame);
end
---------------------------------------------------------------------------
-- Helper Methods, these are just friendly wrappers for the
-- global functions.
local function SecureHandlerMethod_Execute(self, body)
-- Kept as a wrapper for consistency
return SecureHandlerExecute(self, body);
end
local function SecureHandlerMethod_WrapScript(self, frame, script,
preBody, postBody)
-- Wrapped since args are in different order
return SecureHandlerWrapScript(frame, script, self, preBody, postBody);
end
local function SecureHandlerMethod_UnwrapScript(self, frame, script)
-- Wrapped since args are in different order
return SecureHandlerUnwrapScript(frame, script);
end
local function SecureHandlerMethod_SetFrameRef(self, id, frame)
-- Kept as a wrapper for consistency
return SecureHandlerSetFrameRef(self, id, frame);
end
function SecureHandler_OnLoad(self)
self.Execute = SecureHandlerMethod_Execute;
self.WrapScript = SecureHandlerMethod_WrapScript;
self.UnwrapScript = SecureHandlerMethod_UnwrapScript;
self.SetFrameRef = SecureHandlerMethod_SetFrameRef;
end
