lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


You can set the environment table of a function, which can limit the
functionality of the function. I.e.

env = { print = print }
local fn = assert(loadfile "malware.lua")
setfenv(fn,env) -- setting the environment limits 
 -- the function to use print only
fn()

You can effectively secure any function that way - but you have to be absolutly
sure about the security of the functions that you include. I would even suggest
creating the environment by adding functions one by one, watching that none of
it breaks the security aspect (like creating a whitelist). Functions that can
create functions (like loadstring / loadfile / dofile) must be modified for
that environment in a way to set the secure environment to the returned
function automaticly - otherwise it will simply assign the global environment
table, which would be a hack then (as far as I know). Debugging functions / os
functions etc. shouldn't be included at all. I would also provide functions,
that allows the script to load only very specific data and limiting to save
data to a minimum (i.e. allow only to save ASCII strings etc.).

If your application is written in C/C++, you should be sure that those scripts
cannot crash your applications (by loading corrupt models that contain
executable code etc).

> Hello everyone!
> 
> I'm making a game that uses Lua for most of its functions. I'm making it 
> so that users can create their own levels/weapons/vehicles/modes in Lua, 
> but what if they put viruses in the script?
> 
> What are some tips to avoid this problem? I can't disable file I/O 
> because, for example, the maps might need to load text terrains. Maybe 
> there's a way to only allow the script to load files from a certain 
> directory?
> 
> Anything else I should know about this?
> 
> Thanks!
> 
>