lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> In general, Lua's not terribly good at this stuff because it lacks the  
> rigour necessary to make sure that you get everything right, all the  
> time --- it's far too easy to make a mistake and expose something, at  
> which point an attacker can fairly easily unravel your whole security  
> system. For example, in your sample code, your exposed object's  
> metatable's __index field points directly at the underlying data store,  
> which means that given a secured table t, this:
> data = getmetatable(t).__index
> ...undoes all the security.

You can avoid this particular attack using the __metatable field. But
your general analysis still aplies.

-- Roberto