Reset GC state before closing the lua VM to prevent user data to be
wrongly freed while still might be used on destructor callbacks.
Created and publish by Redis in their OSS branch.
Pulled from Valkey for Redict.
Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
The explanation on the original commit was wrong. Key based access must
have a `~` in order to correctly configure whey key prefixes to apply
the selector to. If this is missing, a server assert will be triggered
later.
Cherry-picked and squashed from relevant Valkey changes.
Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
Fix for CVE-2024-31228
This patch was provided to us by Valkey, who received it from Redis Ltd.
> Authenticated users can trigger a denial-of-service by using specially
> crafted, long string match patterns on supported commands such as
> KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST and ACL
> definitions. Matching of extremely long patterns may result in
> unbounded recursion, leading to stack overflow and process crash.
Fixes https://codeberg.org/redict/redict/issues/56
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Fix for CVE-2024-31449
This patch was provided to us by Valkey, who received it from Redis Ltd.
> An authenticated user may use a specially crafted Lua script to
> trigger a stack buffer overflow in the bit library, which may
> potentially lead to remote code execution.
Fixes: https://codeberg.org/redict/redict/issues/55
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Fix for CVE-2024-31227
This patch was provided to us by Valkey, who received it from Redis Ltd.
> An authenticated user with sufficient privileges may create a
> malformed ACL selector which, when accessed, triggers a server panic
> and subsequent denial of service.
Fixes: https://codeberg.org/redict/redict/issues/54
Signed-off-by: Drew DeVault <sir@cmpwn.com>
this allows for redict to use the same include paths for both system and
vendored hiredict, allowing use of system hiredict without patches.
Signed-off-by: Anna (navi) Figueiredo Gomes <navi@vlhl.dev>
This time, this shouldn't cause CI tests to fail.
Co-authored-by: Chris Lamb <lamby@debian.org>
Signed-off-by: Maytham Alsudany <maytha8thedev@gmail.com>
Now that most of the docs have been migrated over, we can update the references
in the codebase to point to redict.io.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
