Allowing a module to call mw.makeProtectedEnvFuncs() lets it bypass the
allowEnvFuncs setting. It can also be used to manipulate the global
tables that other modules' sandboxes will be copied from.
And for paranoia's sake, let's tighten up what setfenv is allowed to
set. This requires changing a unit test, because it is no longer
sane to do something like
env.setfenv, env.getfenv = mw.makeProtectedEnvFuncs( { [env] = true }, {} )
Nothing real does this, it was only in the unit test.
Change-Id: I8e0d83bb0980ee869af3ac4413afd211717ca92f
Wikidata has already requested the ability to add libraries into Lua. We
do this in a simple way: add a $wgScribuntoExtraLibraries global, and
load whatever modules someone puts there.
Change-Id: I460b4e7b968eb02dd86620f1e4b50daf1be9e901
Fixed several accidental leaks to the global namespace due to missing
"local" declaration. Removed extension of the string table by mw.uri,
same justification as I5d0ddb70.
Change-Id: Iba1bf8e651d4ce05812e4a9a7a074cb6679297a0
The point of putting the unicode library in mw.ustring instead of
ustring was to avoid conflicts with future upstream work, and with other
libraries. It rather defeats the purpose if you then modify the global
string table during module startup.
Users can always set up local aliases if they feel "mw.ustring" is too
much to type.
Change-Id: I5d0ddb70d999aeb6e36e6ddbcdb19922d0274a39
This is a reimplementation of Lua's string library with support for
UTF-8.
The entire ustring library is implemented in pure Lua. PHP callbacks are
also available for overrides: in LuaSandbox these are used for almost
all functions, while in LuaStandalone they are used only for the pattern
matching. Also, ustring.upper and ustring.lower are overridden using
mw.language's .uc and .lc if available.
It also includes a bunch of unit tests.
Note that if you download the normalization tests, they may fail under
LuaSandbox if you have PHP's intl extension installed and libicu on your
system is too old.
Change-Id: Ie76fdf8d3a85d0a3d2a41b0d3b7afe433f247af0
Our loader for lua files distributed with the extension doesn't work
like Lua's built-in loaders. Fix that.
Change-Id: I7576f0e173c10a589f7ebf2c121230ed66b538fe
To allow Lua libraries to mark functions as expensive, add an
incrementExpensiveFunctionCount() method to Scribunto_LuaEngine that
will call the corresponding Parser method and throw an error if the
limit is exceeded.
Also allow libraries to do the same thing from Lua by calling
mw.incrementExpensiveFunctionCount().
Change-Id: I56fded32b1077eff3980371e9abc9b3b7581f7b5
Adds a base class for libraries with some utility functions in PHP, and a
Lua library with utility functions for use from Lua.
Change-Id: I3d67b1de8bc50488fe3a722e4e2de5849285d127
The listing of the standard modules in package.loaded seems to have been
removed to avoid leaking information to loaded modules. However, since
the *entire* environment is cloned, *including* package.loaded itself,
this does not seem to actually be a problem. But for good measure, also
add a unit test to verify that the version of the standard module tables
referenced from package.loaded is the same as that in _G.
This change also cleans up some unused local variables and an unused
local function from the package module.
Change-Id: I7ec8227b3273059e8f65ad735c215bfd0c623e64
In Lua, a table entry with a nil value is the same as a table entry that
doesn't exist. So when serializing for transfer to PHP, these keys will
be skipped. For a table as an associative array this isn't much of a
problem, but for a table as a list it means we have missing indexes.
Some of Lua's functions for handling "lists" (i.e. tables with numeric
keys) also have a problem when the list contains nils.
To work around these issues when passing argument lists and return value
lists, pass the number of elements along with the sparse list. On the
PHP end we can use this to fill in the missing nulls, and on the Lua
end we can pass this count to unpack() to avoid the problems on the Lua
side.
Change-Id: I858e3905a06e377693301da2b8bc534808f00e3e
Lua 5.2 introduces a nice feature where a metatable can override the
standard behavior of the pairs() and ipairs() functions. That would be
very useful in allowing a more standard syntax for our frame.args, and
it's very easy to do both in C and in Lua.
Change-Id: I37efc59a0c8876ee16184807e15fafbc07e2d288
Built-in modules (e.g. the upcoming ustring) should be able to extend
the string metatable, but user modules (and the debug console) should
not be able to.
But currently built-in modules cannot extend the string metatable in
LuaStandalone, while in LuaSandbox the string metatable can be extended
in the console. Fix this and add unit tests.
Change-Id: I15f5598fed318f2fe26b08ec47e16053dddc13c4
Currently, the only way for PHP to pass a function to Lua is to pass
back a function that it received from Lua. This means, for example, that
PHP cannot implement a Lua iterator function except by registering a
library holding the function or by using loadString.
This changeset adds Scribunto_LuaInterpreter::wrapPhpFunction (and
implements it for both LuaSandbox and LuaStandalone), which takes a PHP
callable and returns a Lua function wrapping it.
Note that fallback code is included so this does not depend on
I2e552799.
Change-Id: Ic0a98eec7cc17ef4b1acee032c0f42d617b998d2
The package module is loaded into the "base" environment but not
correctly initialized, so interface modules and the console cannot
actually load anything.
Change-Id: I92a47d318ccadd7361edb1ac3b0e4bb304ff8a9c
In the debug console, "=unpack( { 1, 2, 3 } )" prints only "1". And
similarly, "mw.log( 1, 2, 3 )" logs only "1". Since Lua uses multiple
return values extensively, this is not particularly helpful.
Following the lead of the lua command-line client, change these to
output multiple values by converting each one using tostring() and then
concatenating them with tab as a separator.
Change-Id: I791d4c92415fc722bbd7c62d0f5f88752d31fe07
There's no reason LuaStandalone cannot handle NaN and Inf.
Also, add some unit tests to check this.
Change-Id: I8570242a792e212489ad24dfc04fb1f2940190a5
* string.format() truncates the string at a null character, causing a
deadlock when Lua attempts to send null characters to PHP. Use
concatenation instead.
* Added test.
* Fixed an error reporting issue in the console, which I happened to
notice at the same time as the above bug.
Change-Id: I2e6061a04512557492bffbd04bc09ca3bc1d80d6
All of these were in getScriptTraceHtml, which used some magic ($msgOptions) which is no
longer that easy when using the Message class. As only inContentLanguage ('content') was
used, I documented that, and added the relevant code paths.
I tried to keep the code as readable and brief as possible and also removed an unused
local variable ($linedefined).
Change-Id: I38e1ce0bf90d9aa462e88ca7c795fcc848c4f118
Do not try to use the new LuaSandbox class constants in the
backwards-compatible section of the code.
Change-Id: I0c4ca9e019095fce5bd1c1d17dbdf36dc198dfb7
Provide a convenient means to access the current frame so that the
parameter passed to module functions won't need to be conventionally
stored in a global variable.
Change-Id: I0254d86a1094866a3ce4899e4021d0b33367bb35
Add a profiler report to the limit report for pages with more than 1s
of Lua time. Uses the profiler introduced in I0b83a914 of LuaSandbox.
Also, fixed some circular references which were preventing the
LuaSandbox object from being destroyed when Scribunto::resetEngine()
was called. Otherwise a large number of interval timers could be started
due to a LuaSandbox object resource leak.
Change-Id: I5487fe2623974939d07f09f7197e86a5f297a8f1
Don't run Preprocessor::preprocessToObj() for frame:preprocess() on
cache hits, only do it on cache misses. The rationale for passing a
PPNode from expandTemplate() to doCachedExpansion() remains: Parser
implements its own cache, as well as extra logic, inside
getTemplateDom().
Change-Id: I29e85e3e98d9590bbd1ae49fb2bb4deaa895edc9
* Added a debug console to the edit page, allowing unsaved modules to be
tested.
* Removed the "preview" button from the edit page.
* Only show the "ignore code errors" checkbox on module edit pages, not
all edit pages.
* Added Lua function mw.log() for sending messages to the debug log.
Change-Id: Ia51f439e573a1deb5b83f94ddd1a86792d5569c1
Optionally remove setfenv and getfenv from the global environment in
which user code runs. This will improve the forwards-compatibility of
user code with Lua 5.2.
Porting to Lua 5.2 would still be a daunting project, of questionable
value, but at least only the internal code would need updating, and not
thousands of on-wiki modules. Compared to the environment changes, the
rest of the Lua 5.2 changes are relatively easy to simulate for
backwards compatibility.
Removed module() from the package module, since it depends on setfenv().
The native version of it is deprecated in Lua 5.2 for that reason.
Change-Id: I978903ca98943ac941833da13fe5027949f6b429
* Implemented the new parser interface based on a frame object, as
described in the design document and wikitech-l.
* Added parser tests for the new interface.
* Removed {{script:}} parser function
* Allow named parameters to {{#invoke:}}
* Don't trim the return value
* If a function invoked by #invoke returns multiple values, concatenate
them into a single string.
* If there is an error during parse, show the error message as an HTML
comment as well as via JavaScript. This makes parser test construction
easier, and probably makes debugging easier also.
* Rename mw_internal to mw_php to clarify its role. It is now strictly a
private Lua -> PHP interface function table.
* Protect mw.setup() against multiple invocation.
* Fixed a bug in Scribunto_LuaStandaloneInterpreter::receiveMessage():
large packets caused fread() to return with less than the requested
amount of data, which previously caused an exception. It's necessary
to check for EOF and to repeat the read to get all data. The receive
function on the Lua side does not suffer from this problem.
* In the standalone engine, fixed a bug in the interpretation of null
return values from PHP callbacks. This should return no values to Lua.
* Updated the Lua unit tests to account for the fact that functions are
now forced to return strings.
* Updated the getfenv and setfenv tests to account for the extra stack
level introduced by mw.executeFunction().
Change-Id: If8fdecdfc91ebe7bd4b1dae8489ccbdeb6bbf5ce
* Use LuaSandbox::getPeakMemoryUsage() from r115086
* Fixed the debug.traceback function from da06273e, was nil
Change-Id: Iae4b195ffe25a522d4c37f9c8341e1d6ea3ae106
Also changed scribunto-lua-in-function-at to not say "anonymous" since
it also applies to functions which are not anonymous as declared, only
anonymous as called.
Change-Id: Ib99cc6d12fbb40a295e1fda35ac48bcf097fdb66
* Updates for the LuaSandbox backtrace feature introduced in r115020.
* Fixed a notice in the case where the backtrace is not available
* Implemented error message parsing for file/line as in LuaStandalone
Change-Id: Ie1e053784e174aa53ebf5a1fa782d3cf6243c3f0
Fixed the issue noticed during testing of da06273e, and which resulted
in satest.setfenv1() being disabled. It's not possible to protect
environments by iterating through every stack level, calling getfenv()
at each one, because if any of the stack levels is a tail call, an error
is raised.
Such a tail call was introduced in da06273e, which is why the test broke.
Instead, just protect the actual specified environments, not their
callers. The callers will have to protect themselves.
Change-Id: If39104010ff2663c1bae5105cc8d37e276532100
* Added error backtrace collection to MWServer:handleCall()
* When there is an error on parse, show a short and simple inline error
message to the user, which when clicked, expands to a full error with
HTML-formatted backtrace.
* When an error is encountered during module validation, have the code
editor jump directly to the line. Requires r115011.
* Expose the code location of most errors to Scribunto, by parsing the
standard error message format.
* During module validation, abbreviate the error location if the error
is in the same module.
* Do not execute the module during validation, just parse it. Execution
does not really work without an active parse operation in progress.
It already caused a fatal error if you called require() from the main
chunk, and problems would have become more visible as more
parser-related APIs were added.
* LuaSandbox does not yet provide backtraces, but this is planned.
Change-Id: Id9f6564a41b310792b3fe3ebb527cbf8f8771bd1
* Added tests for the engine classes.
* Added some tests that run under Lua.
* In the chunk names, fixed truncation of module names at 60 bytes
by using an "=" prefix instead of @.
* Fixed a bug in mw.clone() which was causing the metatable to be set on
the source table instead of the destination.
* Put restricted setfenv/getfenv in the cloned environment rather than
the base environment, they work better that way.
* In setfenv(), check for getfenv() == nil, since that's what our own
restricted getfenv returns.
* Fixed getfenv() handling of numeric arguments: add one where
appropriate.
Change-Id: I2b356fd65a3fcb348c4e99a3a4267408fb995739
Package library:
* Added a simulation of the Lua 5.1 package library.
* Removed mw.import(), replaced it with a package loader. Packages can be
retrieved from the wiki, using require('Module:Foo'), or from files
distributed with Scribunto, using require('foo'). The "Module:" prefix allows
for source compatibility with existing Lua code.
* Added a couple of libraries from LuaForge: luabit and stringtools.
* Made fetchModuleFromParser() return null on error instead of throwing an
exception, to more easily support the desired behaviour of the package loader,
which needs to return null on error.
* Renamed mw.setupEnvironment() to mw.setup() since it is setting up things
other than the environment now.
* In MWServer:handleRegisterLibrary(), remove the feature which interprets dots
in library names, since LuaSandbox doesn't support this.
Improved module isolation and related refactoring:
* Expose restricted versions of getfenv() and setfenv() to user Lua code.
Requires luasandbox r114952.
* Don't cache the export list returned by module execution for later function
calls. This breaks isolation of #invoke calls, since the local variables are
persistent.
* Removed ScribuntoFunctionBase and its children, since it doesn't really have
a purpose if it can't cache anything. Instead, invoke functions using a module
method called invoke().
* Removed Module::initialize(), replaced it with a validate() function. This is
a more elegant interface and works better with the new module caching scheme.
* Use a Status object for the return value of Engine::validate() instead of an
array. Use the formatting facilities of the Status class.
Other:
* Removed "too many returns" error, doesn't fit in with Lua conventions.
* Use the standalone engine by default, so that the extension will work without
configuration for more people.
* Added an accessor for $engine->interpreter
* Fix mw.clone() to correctly clone metatables
* If the standalone interpreter exits due to an error, there are some contexts
where the initial error will be caught and ignored, and the user will see the
error from checkValid() instead. In this case, rethrow the original error for
a more informative message.
* Load mw.lua into the initial standalone environment, to reduce code
duplication between mw.lua and MWServer.lua.
* Fixed a bug in Scribunto_LuaStandaloneInterpreter::handleCall() for functions
that return no results.
* Fixed a bug in encodeLuaVar() for strings with "\r". Added test case.
* In MWServer.lua, don't call error() for internal errors, instead just print
the error and exit. This avoids a protocol violation when an error is
encountered from within handleCall().
* Added lots of documentation. Lua doc comments are in LuaDoc format.
Change-Id: Ie2fd572c362bedf02f45d3fa5352a5280e034740
