lua-l archive

Search lua-l

This index contains 143,615 documents and 1,774,615 keywords. Last update on 2023-03-09 .

181. String metatable sandboxing (was: Environment metatable) (score: 33)

Author: "Thiago L." <fakedme@...>

Date: Thu, 17 Apr 2014 10:50:41 -0300

On 16/04/2014 17:45, Thiago L. wrote: How about we have a getmetatable(_ENV).__stringmetatable or something? String metatable sandbox and monkeypatching patch at the same time! Rephrasing: How about

182. Re: A guide to building Lua modules (score: 2)

Author: Andrew Starks <andrew.starks@...>

Date: Wed, 16 Apr 2014 10:19:00 -0500

I monkeypatch all of the time, but: I create an environment using _ENV I copy the library into a new table and make my additions and changes there. I've yet to learn my lesson, as others have, so I d

183. Re: A guide to building Lua modules (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Wed, 16 Apr 2014 11:10:27 +0200

Because most people think that random monkey-patching is dumb[1], and there's no defense against other people's decisions anyway in a dynamic language, unless one is sandboxing them severely ;) does

184. Re: A guide to building Lua modules (score: 2)

Author: Philipp Janda <siffiejoe@...>

Date: Wed, 16 Apr 2014 11:00:29 +0200

Am 16.04.2014 10:22 schröbte steve donovan: On Wed, Apr 16, 2014 at 10:12 AM, Philipp Janda <siffiejoe@gmx.net> wrote: Depending on the coding style there is not that much convenience involved, e.g.:

185. Re: A guide to building Lua modules (score: 2)

Author: Philipp Janda <siffiejoe@...>

Date: Wed, 16 Apr 2014 10:12:06 +0200

Am 16.04.2014 09:28 schröbte steve donovan: Although I'd say the primary motive for string methods is not polymorphism but convenient laziness ;) Depending on the coding style there is not that much

186. Re: A guide to building Lua modules (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Wed, 16 Apr 2014 09:28:17 +0200

It's sometimes called the "virtualization problem" http://lua-users.org/wiki/LuaVirtualization Basically, the string type is too baked into Lua to allow drop-in replacements. Although I'd say the pri

187. Re: A guide to building Lua modules (score: 2)

Author: Philipp Janda <siffiejoe@...>

Date: Wed, 16 Apr 2014 09:14:22 +0200

Am 16.04.2014 08:17 schröbte steve donovan: On Tue, Apr 15, 2014 at 9:51 PM, Tom N Harris <telliamed@whoopdedo.org> wrote: Or get rid of the metatable and tell everyone to use the `string` functions

188. Re: Sandboxing require function (score: 33)

Author: David Heiko Kolf <david@...>

Date: Fri, 04 Apr 2014 18:36:27 +0200

Hello, if I would want to provide a require function in a sandbox I would probably write my own (restricted) require function and only provide that to the sandbox. This custom require function could

189. RE: C++ integration / DSEL alternative questions (score: 2)

Author: Thijs Schreijer <thijs@...>

Date: Fri, 4 Apr 2014 14:08:26 +0000

I don't know C++, nor very well the parts of the Lua api for creating the coroutines. But maybe this can help; If you only run the same routine over and over again, then a single state can be used a

190. Re: Sandboxing require function (score: 33)

Author: Oliver Kroth <oliver.kroth@...>

Date: Wed, 02 Apr 2014 12:07:12 +0200

David, You may modify the package.searchers table, namely deleting all searchers you don't want to get used. As these a C functions, it's unlikely that a Lua script can re-create them. -- Oliver Am 0

191. Re: Sandboxing require function (score: 33)

Author: Dirk Laurie <dirk.laurie@...>

Date: Wed, 2 Apr 2014 11:22:26 +0200

2014-04-02 10:18 GMT+02:00 David Demelier <demelier.david@gmail.com>: If you can supply your user with only a crippled 'require', you can also set 'rawget' and 'rawset' to nil.

192. Sandboxing require function (score: 33)

Author: David Demelier <demelier.david@...>

Date: Wed, 02 Apr 2014 10:18:18 +0200

Hello all, I like to preload libraries in my application in package.preload so there are not globals and user can still load them individually with `require'. However, I'm guessing if it is possible

193. RE: C++ integration / DSEL alternative questions (score: 2)

Author: Moose <moose@...>

Date: Tue, 01 Apr 2014 15:11:57 +0200

Hello Thijs, thanks for your response. Let me add some thoughts... Am 01.04.2014 12:23 schrieb Thijs Schreijer: 4) In a real world use case my users have many scripts in my DSEL that get executed at

194. RE: C++ integration / DSEL alternative questions (score: 2)

Author: Thijs Schreijer <thijs@...>

Date: Tue, 1 Apr 2014 10:23:44 +0000

Yes. See http://www.thijsschreijer.nl/blog/?p=693 You might have to cleanup some stuff left behind in between calls, probably using some sandboxing that can be discarded. Generally two approaches; 1

195. Re: Function as metatable (metafunctions?) (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Tue, 1 Apr 2014 10:15:54 +0200

And if it's for sandboxing, that's entirely what the debug library is for.

196. Re: Function as metatable (metafunctions?) (score: 2)

Author: "Thiago L." <fakedme@...>

Date: Mon, 31 Mar 2014 15:39:51 -0300

I mean I can't set __metatable to a function so? Eh? local aFunction = function() end debug.setmetatable( aFunction, { __tostring = function() return 'm e t a f u n c t i o n' end } ) print( aFuncti

197. Re: [PATCH] 'data' mode for loadfile (score: 2)

Author: Jay Carlson <nop@...>

Date: Wed, 19 Mar 2014 10:23:16 -0400

If you don't care if the result of large/malicious output is abnormal termination--and everybody who writes "#define malloc(x) assert(malloc(x))" doesn't--alarm(3) and setitimer(2) are pretty cheap.

198. Re: [PATCH] 'data' mode for loadfile (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Mon, 17 Mar 2014 21:34:52 +0200

There's the wiki page: http://lua-users.org/wiki/SandBoxes I mentioned the string metatable thing because it's easy to overlook; you might exclude the string library, and then someone could use it th

199. RE: [PATCH] 'data' mode for loadfile (score: 2)

Author: Thijs Schreijer <thijs@...>

Date: Mon, 17 Mar 2014 18:41:23 +0000

Solutions are nice, but is there some list of potential problems? What I mean is; what should I consider to protect against when sandboxing? Thijs

200. Re: [PATCH] 'data' mode for loadfile (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Mon, 17 Mar 2014 20:11:28 +0200

Oh definitely yes - one _starts_ with a custom environment. And watch out for the default metatable for strings. (pl.pretty has a load with a 'paranoid' mode which does this) But, as Roberto points o