lua-l archive

Search lua-l

This index contains 143,615 documents and 1,774,615 keywords. Last update on 2023-03-09 .

261. Re: Deterministic hashing for lua tables (score: 2)

Author: HyperHacker <hyperhacker@...>

Date: Mon, 30 Jan 2012 18:38:38 -0700

Counting bytecode won't protect you against nonsense like: print(string.match(("x"):rep(1000000000), ("."):rep(1000000000))) The only reliable way to prevent a script hogging CPU is to limit its CPU

262. Re: Sandboxing (score: 33)

Author: Pierre-Yves Gérardy <pygy79@...>

Date: Fri, 20 Jan 2012 12:58:46 +0100

Indeed, stupid misatke. Thanks. -- Pierre-Yves

263. Re: Sandboxing (score: 33)

Author: Peter Cawley <lua@...>

Date: Fri, 20 Jan 2012 10:35:19 +0000

2012/1/20 Pierre-Yves Gérardy <pygy79@gmail.com>: That check won't detect bytecode. You'd probably be better with "if s:byte() == 27 then".

264. Sandboxing (score: 34)

Author: Pierre-Yves Gérardy <pygy79@...>

Date: Fri, 20 Jan 2012 11:30:37 +0100

Hello, I have some questions regarding sandboxing in Lua 5.1. Besides the functions tagged "SAFE" on the Wiki (http://lua-users.org/wiki/SandBoxes), I would like to provide sanitized versions of `get

265. Re: Survey of lua sandboxes? (score: 2)

Author: David Favro <lua@...>

Date: Fri, 30 Dec 2011 13:13:04 -0500

I am indeed aware; when I said "disallow loading of uncompiled source code" I meant to ask the question, how would malicious bytecode be loaded if we prepare an environment which does not contain ref

266. Re: Survey of lua sandboxes? (score: 2)

Author: HyperHacker <hyperhacker@...>

Date: Wed, 28 Dec 2011 02:52:47 -0700

Segfaults are the least of your worries; it's been demonstrated that crafted bytecode can (at least in 5.1) be an exploit vector for execution of arbitrary native machine code. Ways to protect agains

267. Re: Survey of lua sandboxes? (score: 2)

Author: Sam Roberts <vieuxtech@...>

Date: Tue, 27 Dec 2011 13:14:45 -0800

... Perhaps you are not aware that maliciously constructed compiled code can be used to segfault the interpreter, so a careful attacker could probably execute arbitrary code. See conversations in the

268. Re: Survey of lua sandboxes? (score: 2)

Author: David Favro <lua@...>

Date: Mon, 26 Dec 2011 18:11:59 -0500

Hello Gé, Ignoring the fact that your third point may require customizing the interpreter, why "ideally" would your second point not be accomplished by executing the sandboxed code in an appropriate

269. Re: Survey of lua sandboxes? (score: 2)

Author: Gé Weijers <ge@...>

Date: Mon, 26 Dec 2011 12:31:56 -0800

It's on this page. http://www.stanford.edu/class/ee380/ What comes to mind in sandboxing Lua: disable the code path that loads compiled VM code altogether, in the Lua C source. The small CPU time sav

270. Re: Bytecode: Safe or not? / luac manual (score: 2)

Author: Stefan Reich <stefan.reich.maker.of.eye@...>

Date: Mon, 31 Oct 2011 13:26:23 +0000

Let me explain the principle once more. Script S is run on machine A until it calls freeze(). It is then serialized into a Pluto image (or an image made by a future library that is even better than P

271. Let's make Lua mobile! (score: 3)

Author: Stefan Reich <stefan.reich.maker.of.eye@...>

Date: Wed, 26 Oct 2011 14:32:37 +0000

Hi fellas. - What do I mean by mobile? I am not referring to mobile devices (not specifically anyway). Rather, the idea is that a script is frozen on one machine, sent through the network and then un

272. Re: modules, require, magic (score: 2)

Author: Mark Hamburg <mark@...>

Date: Sun, 23 Oct 2011 13:27:21 -0700

It isn't all that hard to fix, but on a multi-person project it's annoying when you have to go fix someone else's code (and more annoying if then leads to a debate over whether or not their code was

273. Re: Isn't load() in 5.2 too naive about _ENV? (score: 3)

Author: Roberto Ierusalimschy <roberto@...>

Date: Thu, 6 Oct 2011 10:59:22 -0300

I beg to differ. _ENV is irrelevant for sandbox programming, as it is only a compiler trick. Whatever you can do with _ENV you can do without it. What is very relevant to sandboxing is the behavior

274. Re: A challenge: make an online Lua tutorial (score: 2)

Author: steve donovan <steve.j.donovan@...>

Date: Wed, 5 Oct 2011 14:52:37 +0200

Thanks, Alexander - that is a generous offer. It's an interesting sandboxing challenge[1], naturally, but the real value-added is a good guided tutorial. (There is this online interactive Lua which w

275. Re: Young Lua programmers (score: 2)

Author: Erik Cassel <erik@...>

Date: Tue, 4 Oct 2011 09:53:23 -0700

Opening Lua to the end user is non-trivial. You have to work hard on sandboxing: Many young programmers are passionate hackers and they will look under every rock to find a vulnerability. -Erik

276. Re: Small change to luaconf.h (score: 2)

Author: Brian Maher <brian@...>

Date: Fri, 5 Aug 2011 21:22:46 -0700

I've got the same issue... but I need the lua interpreter to be "relocatable" (aka copy into an arbitrary directory and it still needs to work). To do this, I made the following changes: [1] Set the

277. Re: Small change to luaconf.h (score: 2)

Author: Jim Whitehead II <jnwhiteh@...>

Date: Thu, 4 Aug 2011 19:12:23 +0100

Okay, I'll continue making the change using sed/patches. - Jim

278. Re: Small change to luaconf.h (score: 2)

Author: Luiz Henrique de Figueiredo <lhf@...>

Date: Thu, 4 Aug 2011 14:57:23 -0300

My take on this is http://lua-users.org/lists/lua-l/2006-10/msg00580.html The main point is that changing how Lua is built from the command line instead of editing luaconf.h is the wrong way to go a

279. Re: Small change to luaconf.h (score: 2)

Author: Ryan Pusztai <rpusztai@...>

Date: Thu, 4 Aug 2011 11:30:55 -0400

I previously reported this for Lua-5.1, but I'd like to reiterate it for Lua-5.2 if possible before that version is released. I quite frequently script the installation of Lua in a non-global environ

280. Small change to luaconf.h (score: 2)

Author: Jim Whitehead II <jnwhiteh@...>

Date: Thu, 4 Aug 2011 16:14:52 +0100

I previously reported this for Lua-5.1, but I'd like to reiterate it for Lua-5.2 if possible before that version is released. I quite frequently script the installation of Lua in a non-global environ