Re: Implementing a simple sandbox -- another quirk

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Implementing a simple sandbox -- another quirk
From: Max Ischenko <max@...>
Date: Tue, 24 Jun 2003 14:52:35 +0300

> >function equals()
> >	return DATE
> >end
> [...]
> >f = loadstring("return function() return equals() end")
> >xxx(f)

> That's because equals still has the old env. setfenv(x,f) does not affect
> the env of equals. I'm sorry, using setfenv can defy intutition, as Wim has
> described in http://lua-users.org/lists/lua-l/2003-02/msg00547.html .

Well, then I have a problem with sandbox' security.

While string compiled with loadstring() is evaluated in a safe sandbox,
function that are called from that chunk could freely refer to globals,
like os.execute. Right?

Is it possible to fake env. used by functions called from the chuck?


-- 
Regards, max.

References:
- Re: Implementing a simple sandbox -- another quirk, Luiz Henrique de Figueiredo

Prev by Date: Re: Re[2]: why no "continue" statement for loops?
Next by Date: Comparing 2 strings
Previous by thread: Re: Implementing a simple sandbox -- another quirk
Next by thread: Re: Implementing a simple sandbox -- another quirk
Index(es):
- Date
- Thread