[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Avoiding viruses?
- From: Eike Decker <eike@...>
- Date: Mon, 30 Jul 2007 22:19:54 +0200
You can set the environment table of a function, which can limit the
functionality of the function. I.e.
env = { print = print }
local fn = assert(loadfile "malware.lua")
setfenv(fn,env) -- setting the environment limits
-- the function to use print only
fn()
You can effectively secure any function that way - but you have to be absolutly
sure about the security of the functions that you include. I would even suggest
creating the environment by adding functions one by one, watching that none of
it breaks the security aspect (like creating a whitelist). Functions that can
create functions (like loadstring / loadfile / dofile) must be modified for
that environment in a way to set the secure environment to the returned
function automaticly - otherwise it will simply assign the global environment
table, which would be a hack then (as far as I know). Debugging functions / os
functions etc. shouldn't be included at all. I would also provide functions,
that allows the script to load only very specific data and limiting to save
data to a minimum (i.e. allow only to save ASCII strings etc.).
If your application is written in C/C++, you should be sure that those scripts
cannot crash your applications (by loading corrupt models that contain
executable code etc).
> Hello everyone!
>
> I'm making a game that uses Lua for most of its functions. I'm making it
> so that users can create their own levels/weapons/vehicles/modes in Lua,
> but what if they put viruses in the script?
>
> What are some tips to avoid this problem? I can't disable file I/O
> because, for example, the maps might need to load text terrains. Maybe
> there's a way to only allow the script to load files from a certain
> directory?
>
> Anything else I should know about this?
>
> Thanks!
>
>