Re: Implementing a simple sandbox -- another quirk

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Implementing a simple sandbox -- another quirk
From: Luiz Henrique de Figueiredo <lhf@...>
Date: Tue, 24 Jun 2003 09:37:48 -0300

>While string compiled with loadstring() is evaluated in a safe sandbox,
>function that are called from that chunk could freely refer to globals,
>like os.execute. Right?

No. See the program below, which is what I think you're trying to achieve.
Note that a simple "return" suffices in loadstring. (In production code,
you have to check whether loadstring retuns nil, of course.)
--lhf

 function sandbox(env, f, ...)
  local g = getfenv(f)
  setfenv(f, env)
  local retval = f(unpack(arg))
  setfenv(f, g)
  return retval
 end

 function run(B,s)
  local f=loadstring("return "..s)
  print(sandbox(B, f))
 end

 DATE=10
 B={ DATE=20, print=print, }
 run(B,"DATE")
 run(B,"os.execute'date'")

Follow-Ups:
- Re: Implementing a simple sandbox -- another quirk, Max Ischenko

Prev by Date: Comparing 2 strings
Next by Date: Re: Comparing 2 strings
Previous by thread: Re: Implementing a simple sandbox -- another quirk
Next by thread: Re: Implementing a simple sandbox -- another quirk
Index(es):
- Date
- Thread