lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Ok, those two last answers from Adam and Ben come close to explaining 1) something that I didn't understand, 2) why I couln't explainmyself.

Security is an issue, but that was not what I am addressing here. NOW I am very much concerned!!!

What I really wanted is this: a much simpler scripting language than LUA, but I want LUA to execute it. Building a language is too complicated and LUA does it well. But Lua is too complex to leave in the hands of normal users, this is why: they will write things that don't work, then they will call ME to fix it.

If you think that I am on the wrong track, please say so. I have been following this Lua list for months, but I am not sure of anything anymore

Alain

Adam D. Moss escreveu:
Alain wrote:

He I come to explain myselt again: I don't want sandboxing. I want a program that allow be to test if the user is using lua functions *other*than*the*ones*I*allow*him*to*use* not even what most lua programers consider *normal* to a lua program.

For this I believe I need something called a lexical analyser, so that I can allow only a sunset of normal LUA syntax.


I think what you're basically being told is that the way
you're asking to do this isn't really the way you want to
do it.  You can't reliably guarantee through simply lexical
analysis that the user is only calling functions that you
intend her to call.

boopy = "tem"
os["sys"..boopy]("rm -rf /")

goodfunction = evilfunction
goodfunction()

evilfunction = goodfunction
evilfunction()

etc.

Yes, if you really want to lex lua you can use one of the
lua lexers/tokenisers, but you'd have to accept that the
results are going to be fairly deeply unreliable, unlike
the runtime sandboxing.

--adam