Re: Secure Lua

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: Secure Lua
• From: Rici Lake <lua@...>
• Date: 2005年11月21日 18:55:19 -0500

---

On 21-Nov-05, at 6:50 PM, Erik Cassel wrote:

Has anybody investigated this further than I have? Have I missed any
potential exploits? Any comments, especially regarding the safety of
luaopen_base?

luaopen_base: Not a problem. Just redefine the functions.
do
 local _dofile = dofile
 function dofile(filename)
 check_path(filename)
 return _dofile(filename)
 end
end

At the end of that, the original dofile is simply unavailable. (This may be slightly subject to revision after a complete analysis of the new packaging mechanism, but it certainly works on 5.0.2). A similar technique would allow you to interpose check_path in all relevant io library functions.

---

• References:
  • Secure Lua, Erik Cassel

• Prev by Date: Secure Lua
• Next by Date: Re: Secure Lua
• Previous by thread: Secure Lua
• Next by thread: Re: Secure Lua
• Index(es):
  • Date
  • Thread