[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Secure tables in Lua: Summary
- From: Roberto Ierusalimschy <roberto@...>
- Date: Thu, 3 Jul 2008 13:15:24 -0300
> In general, Lua's not terribly good at this stuff because it lacks the
> rigour necessary to make sure that you get everything right, all the
> time --- it's far too easy to make a mistake and expose something, at
> which point an attacker can fairly easily unravel your whole security
> system. For example, in your sample code, your exposed object's
> metatable's __index field points directly at the underlying data store,
> which means that given a secured table t, this:
> data = getmetatable(t).__index
> ...undoes all the security.
You can avoid this particular attack using the __metatable field. But
your general analysis still aplies.