[lua] Secure io.popen() access (and enable popen on Linux)

src/app/script/engine.cpp

@@ -1,5 +1,5 @@
 // Aseprite
-// Copyright (C) 2018-2023  Igara Studio S.A.
+// Copyright (C) 2018-2024  Igara Studio S.A.
 // Copyright (C) 2001-2018  David Capello
 //
 // This program is distributed under the terms of
@@ -246,6 +246,13 @@ Engine::Engine()
   lua_setfield(L, -2, "open");
   lua_pop(L, 1);
 
+  // Wrap io.popen()
+  lua_getglobal(L, "io");
+  lua_getfield(L, -1, "popen");
+  lua_pushcclosure(L, secure_os_execute, 1);
+  lua_setfield(L, -2, "popen");
+  lua_pop(L, 1);
+
   // Wrap os.execute()
   lua_getglobal(L, "os");
   lua_getfield(L, -1, "execute");

src/app/script/security.cpp

@@ -1,5 +1,5 @@
 // Aseprite
-// Copyright (C) 2019-2023  Igara Studio S.A.
+// Copyright (C) 2019-2024  Igara Studio S.A.
 // Copyright (C) 2018  David Capello
 //
 // This program is distributed under the terms of
@@ -94,6 +94,7 @@ int secure_io_open(lua_State* L)
   return 1;
 }
 
+// Used for os.execute() and io.popen()
 int secure_os_execute(lua_State* L)
 {
   int n = lua_gettop(L);

third_party/CMakeLists.txt

@@ -1,5 +1,5 @@
 # Aseprite
-# Copyright (C) 2021-2023  Igara Studio S.A.
+# Copyright (C) 2021-2024  Igara Studio S.A.
 # Copyright (C) 2001-2018  David Capello
 
 include_directories(.)
@@ -195,12 +195,22 @@ if(ENABLE_SCRIPTING)
     lua/lstrlib.c
     lua/ltablib.c
     lua/lutf8lib.c)
+
+  if(WIN32)
+    target_compile_definitions(lua PUBLIC LUA_USE_WINDOWS=1)
+  elseif(APPLE)
+    target_compile_definitions(lua PUBLIC LUA_USE_MACOSX=1)
+  elseif(UNIX)
+    target_compile_definitions(lua PUBLIC LUA_USE_LINUX=1)
+  endif()
+
   target_compile_definitions(lua PUBLIC LUA_FLOORN2I=1)
   target_compile_definitions(lualib PRIVATE HAVE_SYSTEM)
   target_include_directories(lua PUBLIC lua)
   target_include_directories(lauxlib PUBLIC lua)
   target_include_directories(lualib PUBLIC lua)
   target_link_libraries(lauxlib lua)
+  target_link_libraries(lualib lua)
 
   # ixwebsocket
   if(ENABLE_WEBSOCKET)