Re: Secure Lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Secure Lua
From: Rici Lake <lua@...>
Date: Mon, 21 Nov 2005 18:55:19 -0500


On 21-Nov-05, at 6:50 PM, Erik Cassel wrote:

Has anybody investigated this further than I have?  Have I missed any
potential exploits?  Any comments, especially regarding the safety of
luaopen_base?


luaopen_base: Not a problem. Just redefine the functions.

do
  local _dofile = dofile
  function dofile(filename)
    check_path(filename)
    return _dofile(filename)
  end
end

At the end of that, the original dofile is simply unavailable. (Thismay be slightly subject to revision after a complete analysis of thenew packaging mechanism, but it certainly works on 5.0.2).

A similar technique would allow you to interpose check_path in allrelevant io library functions.

References:
- Secure Lua, Erik Cassel

Prev by Date: Secure Lua
Next by Date: Re: Secure Lua
Previous by thread: Secure Lua
Next by thread: Re: Secure Lua
Index(es):
- Date
- Thread