Re: Making a secure sandbox containing getfenv()

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Making a secure sandbox containing getfenv()
From: "Patrick Donnelly" <batrick.donnelly@...>
Date: Fri, 9 Nov 2007 21:38:15 -0700

I just tried using this:

secureenviron = {
  getfenv = function(...)
    return _G.getfenv(...)
  end,
  --... other lua functions
}
for _,v in pairs(secureenviron) do
  if type(v) == "function" then setfenv(v, secureenviron) end
end

This protects against: getfenv(getfenv) to get ahold of the global
table, I have no idea how to prevent climbing the stack levels to get
at the global environment other than raising an error. Doing simple
checks to see if the table returned by getfenv() is the global table
seems prone to errors (and attack).

-- 
-Patrick Donnelly

"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."

-Will Durant

Follow-Ups:
- Re: Making a secure sandbox containing getfenv(), Jim Whitehead II

References:
- Making a secure sandbox containing getfenv(), Patrick Donnelly
- Re: Making a secure sandbox containing getfenv(), David Manura
- Re: Making a secure sandbox containing getfenv(), Patrick Donnelly

Prev by Date: From: Norman Ramsey Re: Switch/Case statements revisited
Next by Date: Re: Making a secure sandbox containing getfenv()
Previous by thread: Re: Making a secure sandbox containing getfenv()
Next by thread: Re: Making a secure sandbox containing getfenv()
Index(es):
- Date
- Thread