lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> From: Jim Mathies
> curious about something related to userdata.  based on my
> understanding of these, they are simply void* pointers
> to c memory data.  Wouldn't this be considered unsafe
> security wise if Lua was running as a 'Java like' vm?

Userdata isn't a security risk for 2 reasons:

First, there's no built-in way for Lua to dereference a pointer.  So,
there's no way for a malicious script to read or write the memory that a
void* might point to.

Second, although userdata is a void*, it doesn't necessarily point to
anything valid ( this is up to you ).  For example, from C you could:

  int my_age = 42;
  lua_pushuserdata( (void*) my_age )

This might be a perfectly useful and valid thing to do with userdata, but it
has nothing to do with a specific memory location.

Given the above, keep in mind that lua is primarily an extension language.
You can certainly write dangerous C extensions to lua which could change
memory, make system calls, etc.  Core lua is secure, but what you build on
top of it is another matter.  For example, if you're worried about security
you shouldn't include the standard I/O library in your product.