[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Secure Lua
- From: "Erik Cassel" <erik@...>
- Date: Mon, 21 Nov 2005 15:50:23 -0800
A purported benefit of Lua over some other languages (notably Python) is
that it can be run in a reasonably secure, sandboxed mode. I am integrating
Lua into a game where end-users can write scripts and share them with
Aside from any as-yet undiscovered bugs, Lua should be 100% secure if you do
not load any libraries.
How safe are the 5.0.2 standard libraries? Here's my guess:
* luaopen_base: UNSAFE. "dofile", "loadfile" and "require" look scary to me.
For example, if I tried to load a local file from the user's hard drive and
happened to get a file with a credit card number, are we really sure there's
no way that the script can access the content?
* luaopen_loadlib: UNSAFE. A malicious script could load a C library
masquerading as a jpg or something in your internet cache. (The manual
claims that loadlib is part of the base library. Thankfully, it isn't!)
* luaopen_math: Safe
* luaopen_table: Safe
* luaopen_string: Safe. I'm happy to see that str_format() does checks on
parameters before calling sprintf. Can the Lua authors confirm that they
wrote the string library with the intention of preventing crashes and
* luaopen_io: UNSAFE. The I/O library gives the scripter access to the
local file system. The os calls are, of course, unsafe as well.
* luaopen_debug: Safe?
Now here's a problem: Coroutines are a subset of the base library, which
means you can't use coroutines without exposing "dofile", "loadfile" and
Has anybody investigated this further than I have? Have I missed any
potential exploits? Any comments, especially regarding the safety of