lua-l archive

Search lua-l

This index contains 143,615 documents and 1,774,615 keywords. Last update on 2023-03-09 .

141. Re: Bizarre behavior with debug.setupvalue() in Lua 5.3 (score: 2)

Author: Dirk Laurie <dirk.laurie@...>

Date: Sat, 28 Mar 2015 07:00:00 +0200

2015-03-28 6:05 GMT+02:00 Sean Conner <sean@conman.org>: First, let's explain _ENV. If the Lua compiler finds a name, it looks for it in the following order: 1. Look for it as a current local, which

142. Re: Upgrading C sandbox from 5.1 to 5.2/5.3 (score: 2)

Author: Luke Mewburn <luke@...>

Date: Wed, 11 Feb 2015 11:30:48 +1100

Thanks for the clarification! With some minor adjustments to my code I've managed to get the wrapper library and the testsuite working with both Lua 5.1 and Lua 5.2. To summarize the differences in t

143. Re: Upgrading C sandbox from 5.1 to 5.2/5.3 (score: 3)

Author: Michael Welsh Duggan <mwd@...>

Date: Tue, 10 Feb 2015 11:14:59 -0500

So, typically in 5.2, it makes more sense to: a) create the sandbox table b) load the user code as chunks c) set the first upvalue of each chunk to the sandbox table Then user functions are just used

144. Upgrading C sandbox from 5.1 to 5.2/5.3 (score: 3)

Author: Luke Mewburn <luke@...>

Date: Tue, 10 Feb 2015 09:16:46 +1100

Hi. Background: I've been using Lua 5.1 for a few years as a configuration and extension language for our C++ programs at my work. We have a C++ wrapper interface that sandboxes the lua script that's

145. Re: [Proposal?] Environment stacks (score: 2)

Author: "Thiago L." <fakedme@...>

Date: Wed, 03 Dec 2014 21:40:01 -0200

? not only print would see the replaced 'tostring', but also anything else, unrelated code that would be highly surprised by the changed behavior. ? print probably does not call 'tostring' for string

146. [Proposal?] Environment stacks (score: 2)

Author: "Thiago L." <fakedme@...>

Date: Sun, 30 Nov 2014 20:55:05 -0200

Idk if I consider this a proposal or not, but what if environments had stacks? For example, let's say we add a new keyword "setsenv" (set scope environment), and another one "getsenv" (get scope envi

147. RE: Lua file call (score: 2)

Author: Thijs Schreijer <thijs@...>

Date: Fri, 7 Nov 2014 08:03:21 +0000

NOTE: invalid code, you'll need ',' delimiters There are multiple ways of doing this. From simple to not-so-simple. 1) use 'require()' (see manual for details) Make sure the second file is in your L

148. Re: Lua [in]security and the distributors (score: 4)

Author: Axel Kittenberger <axkibe@...>

Date: Fri, 29 Aug 2014 11:01:11 +0200

I disagree. In that case running _javascript_ from the internet would be a terrible idea or any multi user unix system. Yes, there has been a long history of exploits, but that doesn't mean that any

149. Re: Lua [in]security and the distributors (score: 2)

Author: Jonas Thiem <jonasthiem@...>

Date: Thu, 28 Aug 2014 23:10:08 +0200

Yes, but in practise all linux users would hate me for shipping Lua when their system already has it, so they might as well ignore it (not realizing the consequences). And it doesn't make too much of

150. Re: Lua [in]security and the distributors (score: 2)

Author: Coda Highland <chighland@...>

Date: Wed, 27 Aug 2014 20:06:56 -0700

I would take that advice with a grain of salt. Lua is designed to be extensible and embeddable. Everyone has their own favorite power patches. Generally speaking, if you don't like the way that the "

151. Re: Lua [in]security and the distributors (score: 2)

Author: Jonas Thiem <jonasthiem@...>

Date: Thu, 28 Aug 2014 04:56:08 +0200

However, that doesn't change the fact that 3 major distributions completely forgot that they need to check for those patches, and then also seemed unaware there was a security exploit among them (rel

152. Re: Lua [in]security and the distributors (score: 6)

Author: Jonas Thiem <jonasthiem@...>

Date: Thu, 28 Aug 2014 04:42:13 +0200

I am purely referring to script-level sandboxing, and there this one year old unfixed issue is kind of a problem. Although it appears the Lua devs don't really share this sentiment.. oh well. But how

153. Re: Lua [in]security and the distributors (score: 4)

Author: William Ahern <william@...>

Date: Wed, 27 Aug 2014 14:01:08 -0700

The term sandboxing is rather ambiguous, and it wasn't clear from your previous post whether there was any confusion in this regard. When system engineers talk about a sandbox I think they're most co

154. Re: Lua [in]security and the distributors (score: 3)

Author: Jonas Thiem <jonasthiem@...>

Date: Wed, 27 Aug 2014 18:47:59 +0200

I see two obvious choices: 1. You could simply announce Lua is unsuitable for sandboxing. However, that would be sad since in practice many use it for that, and they probably won't stop doing that. 2

155. Re: Lua [in]security and the distributors (score: 5)

Author: Jonas Thiem <jonasthiem@...>

Date: Tue, 26 Aug 2014 17:08:38 +0200

Just a tiny addition, aside from me trying to write a Lua code game I also know someone else who has written a coding game that uses Lua for sandboxing the player code.

156. Re: Lua [in]security and the distributors (score: 4)

Author: "Pierre Chapuis" <catwell@...>

Date: Tue, 26 Aug 2014 16:50:39 +0200

It has, or at least even PiL gives an example. And people do use it for sandboxing. Here is an example of a sandbox by Roberto: http://lua-users.org/lists/lua-l/2013-12/msg00406.html

157. Re: Lua [in]security and the distributors (score: 3)

Author: Jonas Thiem <jonasthiem@...>

Date: Tue, 26 Aug 2014 16:49:34 +0200

Red Hat has asked for CVE classification: http://www.openwall.com/lists/oss-security/2014/08/21/2 I already mailed Red Hat, helped them out with lots of details on the bug tracker, and I emailed Ubun

158. Re: Lua [in]security and the distributors (score: 4)

Author: Enrico Tassi <gares@...>

Date: Tue, 26 Aug 2014 16:37:19 +0200

Without a CVE I can hardly convince Debian security people that the fix is worth it (I'm not fully convinced myself). I would like to fix Lua 5.1 (for the next stable release), but unfortunately the

159. Lua [in]security and the distributors (score: 2)

Author: Jonas Thiem <jonasthiem@...>

Date: Tue, 26 Aug 2014 16:06:22 +0200

Hi *, the Lua crash exploit published since April 2013 is unfixed in: * Debian stable * Fedora * OpenSuse * Ubuntu 12 LTS (still supported) .. or in other words, every distribution I checked so far.

160. Re: Simple Function Call From C language (score: 3)

Author: Andrew Starks <andrew.starks@...>

Date: Tue, 24 Jun 2014 09:19:40 -0500

Technically speaking; it only would if you run on a multi-core cpu machine. But considering the numbers you mentioned, you probably are. Have a look here regarding states and threads; http://www.thi