The ability isn't needed in master because none of the unit tests call
deprecated functions here, but it may be useful in the future or make
cherry-picking of future changes easier.
(cherry-picked from commit 74d8cfa98e0f61ee22a536fc06c2019c9c89aede)
Fixes the vulnerability introduced in commit 52ae31efb21b31f5bb0763d1da24709e90393c59.
(cherry-picked from commit 6450bada57f95af55c490f9d7601ef5e073cdaf1)
Like @gfgtdf pointed out, loadstring() is still supported by Lua in the
name of backwards compatibility, even though it was deprecated in Lua 5.2
and is no longer mentioned in Lua manual. Thus, as of committing this it's
actually possible to load Lua bytecode.
Let's unit test this to ensure that we don't reintroduce this
vulnerability.
(cherry-picked from commit aa73b836009ca98cade2d0dfca6b99cbf8d19e76)
Side 3 was composed by enemy reinforcements. Since they were
spawned on the right corner of the map, and since side 2
was blocked inside Halstead by and [avoid] tag, it was
necessary to add a new hidden side which could move freely
on the map.
If we upgrade the AI, removing the [avoid] tag, this hidden
side becomes unnecessary.
(cherry-picked from commit f32dfaa9170a998dbbacb54d73346cb67a32dd05)
All sides will now head to the central fortress. Orcs
should now be a bit smarter, and they should not suicide
during the morning or the afternoon. The humans in Halstead
will initially remain inside their fortress, until the enemy
arrival.
(cherry-picked from commit e63a15fc913de1d51ea8caf4330409109e1b2f0f)
Instead of checking whether there are no enemy units left
every time one of them dies, use the "enemies defeated"
event.
(cherry-picked from commit 4ced6c752630d7703c1b73290417add9abb7e19e)
There are two layers of halos and they are applied in a somewhat
convoluted fashion. I should probably explain why.
The bottom halo is designed so it's drawn *below* the main unit sprite
so as to not muddle the colours on it. Halos are normally drawn *on top*
of sprites.
The back halo is specifically masked so it's drawn behind the main unit
sprite without overlapping any of its pixels, but it's asymmetrical and
supposed to flip along with the unit sprite depending on the direction
it's facing. Halos do not do that currently, at least not without using
animation WML conditionals. Unfortunately, for some reason, using a
standing animation that's nothing but conditionals causes the game to
crash at the moment.
Taking all this into consideration, using the blit IPF is a much easier
mechanism to avoid both issues at once, even if it makes the code
slightly awkward.
If someone can think of an alternative method, they're more than welcome
to change the code as long as the sprite's composition remains exactly
the same as it is now. I'm just the artist in this case.
[ci skip]
(cherry-picked from commit 6e1a861bdab92edcd24c297aa97367dfcb6c0876)
It didn't make sense for the dwarves to only notice "glowing" after night had ended.
[ci skip]
(cherry-picked from commit 5758c900e248baf3fc581e9932a2553d92120ac2)
This avoids one of the two files which are currently causing macOS SCons
builds to fail in the master branch.
(cherry-picked from commit 8dc60ae98fa472d7a5fa124002f7b1a2f552e0f3)
Monkey-patching has multiple problems. The biggest problem for a security
fix like this is that it's way too easy to forget to re-apply when we
update Lua to a newer version.
Instead, we now have the implementation of load() under our control and can
update Lua without risk of reintroducing CVE-2018-1999023.
(cherry-picked from commit 52ae31efb21b31f5bb0763d1da24709e90393c59)
this test whether we succesfully prevent the exceution and parsing of
precompiled lua chunks, which can be used to break the lua sandbox.
This test does not cover all affected functions in particular not the ai
code that loads lua chunks.
(cherry-picked from commit 6b13a63bb0999e1c494a4236a5d565306db5a0b9)
This could otherwise be used to escape the lua sandbox, as described in
multiple sources. For example one can use it to reenable the os.execute
function to do shell commands
The affected functions were
load,loadstring,wesnoth.dofile,wesnoth.require and various places in the
wesnoth source where lua chunks were loaded for example by the ai code.
This commit also changes the lua source to change luas load (which is
the same as loadstring), alternatively we could add a wrapper around the
original load function that always passes "t" as third parameter, i went
this way mostly because it was easier to implement, but also because i
was not 100% sure that is is impossible to query the upvalues of a
function via lua (wesnoth disables debug.getupvalue but still).
There is also an occurance in the application_lua_kernel that was not fixed
because i assumed that umc cannot contian application lua scipts.
As further security measure we might want to disable printing the function
adress in luas tostring for c functions, this cannot be exploited by itself
but it can be used to defeat ASLR in some cases.
(cherry-picked from commit 2554c166dd45bfdee8ee24431224bd25e52bab12)
* revised and additional snowed hut villages, with night-light TOD variations
* remove spaces to keep column alignment
(cherry-picked from commit 9042b0beb75e637b786a659eb674cccc6d92be28)
Negating an unsigned integer still returns an unsigned value
(in other words, always positive) which isn't what we want.
(cherry-picked from commit e961cc08993bb2b796891530d084da73ec212351)
Before:
20180724 17:21:37 error gui/layout: Failed to fit vertical list to requested rect; expected bottom edge was 277
20180724 17:21:37 error gui/layout: , actual bottom edge was 195
20180724 17:21:37 error gui/layout: (top edge is 113)
After:
20180724 17:34:30 error gui/layout: Failed to fit vertical list to requested rect; expected bottom edge was 277, actual bottom edge was 195 (top edge is 113)
(cherry-picked from commit aab10daac44a3883e368ff457764d0659c69c39f)
This allows the sorting logic top be shared between the sidebar and the
unit preview pane. It also means that we no longer need to create a lambda
to sort them.
I also refactored the generation of movement cost data in help. In
particular, we're no longer extracting the struct to named local variables.
(cherry-picked from commit d8e2498dded14e9df5abcd5e20ac8c8c252dca3a)
Sort movement costs in tooltip, unit preview pane, and unit description alphabetically.
(cherry-picked from commit 61b7e7298b99e11746501e435e6301c7360e2d1c)
The original commit adding the Rename Unit button marked two strings in
the C++ source for extraction without making them translatable.
(cherry-picked from commit bb86afcb728feef091d17a3156f1873f49fe8da7)
By having the nagas be able to recruit and put the gold to use.
Fits dialog better, improves play, & makes naga leader less suicidal.
(cherry-picked from commit f6f10936614ec1f9df69229fd415f91511599255)
