[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Implementing a simple sandbox -- another quirk
- From: Max Ischenko <max@...>
- Date: Tue, 24 Jun 2003 14:52:35 +0300
> >function equals()
> > return DATE
> >f = loadstring("return function() return equals() end")
> That's because equals still has the old env. setfenv(x,f) does not affect
> the env of equals. I'm sorry, using setfenv can defy intutition, as Wim has
> described in http://lua-users.org/lists/lua-l/2003-02/msg00547.html .
Well, then I have a problem with sandbox' security.
While string compiled with loadstring() is evaluated in a safe sandbox,
function that are called from that chunk could freely refer to globals,
like os.execute. Right?
Is it possible to fake env. used by functions called from the chuck?