Re: load and upvalues

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: load and upvalues
From: Egor Skriptunoff <egor.skriptunoff@...>
Date: Wed, 8 May 2019 09:05:30 +0300

On Wed, May 8, 2019 at 3:08 AM Sean Conner wrote:

> I foresee the question: "Isn't it dangerous to allow untrusted code to load
> arbitrary bytecode?"

That's why from Lua 5.2 onwards, load() has a parameter to restrict
loading of bytecode. And a sandbox would not include load() (or a
restricted version of it).

This way untrusted code must satisfy additional restrictions to be able to run inside your sandbox.

I doubt this is practical.

Usually the author of the untrusted code knows nothing about your sandbox and the restrictions it must comply with :-)

Ideal sandbox must run almost everything; including the possibility that the untrusted code might create its own (nested) sandbox while running inside your sandbox.

All standard Lua library functions must be emulated, but not removed.

References:
- Re: load and upvalues, Egor Skriptunoff
- Re: load and upvalues, Soni "They/Them" L.
- Re: load and upvalues, Egor Skriptunoff
- Re: load and upvalues, Egor Skriptunoff
- Re: load and upvalues, Sean Conner

Prev by Date: Re: Must "attempt to get length of a number value" be an error?
Next by Date: Unable to download patches from http://lua-users.org/wiki/LuaPowerPatches
Previous by thread: Re: load and upvalues
Next by thread: Re: load and upvalues
Index(es):
- Date
- Thread