Re: [PATCH] 'data' mode for loadfile

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: [PATCH] 'data' mode for loadfile
• From: steve donovan <steve.j.donovan@...>
• Date: 2014年3月17日 21:34:52 +0200

---

On Mon, Mar 17, 2014 at 8:41 PM, Thijs Schreijer
<thijs@thijsschreijer.nl> wrote:
> Solutions are nice, but is there some list of potential problems? What I mean is; what should I consider to protect against when sandboxing?
There's the wiki page: http://lua-users.org/wiki/SandBoxes
I mentioned the string metatable thing because it's easy to overlook;
you might exclude the string library, and then someone could use it
through a string literal. String functions can be used to construct a
very effective explosive.
But the Billion Laughs attack, that's a nasty one. The problem with
dynamic solutions (restricting memory, restricting instruction count)
is that they are going to slow Lua down, which is an issue with
reading big data files.

---

• Follow-Ups:
  • Re: [PATCH] 'data' mode for loadfile, Jay Carlson

• References:
  • [PATCH] 'data' mode for loadfile, steve donovan
  • Re: [PATCH] 'data' mode for loadfile, Ashwin Hirschi
  • Re: [PATCH] 'data' mode for loadfile, Roberto Ierusalimschy
  • Re: [PATCH] 'data' mode for loadfile, steve donovan
  • RE: [PATCH] 'data' mode for loadfile, Thijs Schreijer

• Prev by Date: Re: Adding debug hook for error/yield/resume
• Next by Date: Re: Using Lua for config files
• Previous by thread: RE: [PATCH] 'data' mode for loadfile
• Next by thread: Re: [PATCH] 'data' mode for loadfile
• Index(es):
  • Date
  • Thread