$OpenBSD: patch-src_scripting_c,v 1.9 2015/06/05 16:29:09 dcoppa Exp $

Remove dofile() from Redis Lua scripting, because it allows an
attacker to enumerate filesystem contents. See:
http://blog.liftsecurity.io/post/35714931664/filesystem-enumeration-using-redis-and-lua

--- src/scripting.c.orig	Thu Jun  4 11:35:56 2015
+++ src/scripting.c	Fri Jun  5 18:07:16 2015
@@ -593,11 +593,13 @@ void luaLoadLibraries(lua_State *lua) {
 #endif
 }
 
-/* Remove a functions that we don't want to expose to the Redis scripting
+/* Remove functions that we don't want to expose to the Redis scripting
  * environment. */
 void luaRemoveUnsupportedFunctions(lua_State *lua) {
     lua_pushnil(lua);
     lua_setglobal(lua,"loadfile");
+    lua_pushnil(lua);
+    lua_setglobal(lua,"dofile");
 }
 
 /* This function installs metamethods in the global table _G that prevent
