On Thu, Mar 5, 2009 at 11:38 AM, Evan DeMond
<evan.demond@gmail.com> wrote:
On Thu, Mar 5, 2009 at 11:34 AM, Olivier Galibert
<galibert@pobox.com> wrote:
On Thu, Mar 05, 2009 at 02:49:23PM -0000, John Hind wrote:
> Now you really have me confused! Surely most Lua apps accept "arbitrary user
> code"? After all it is a configuration and customisation language and this
> is the whole point. Sure, I guess most such apps do not *expect* to load
> binary files, but as long as they use the same input stream this will remain
> a possible attack vector.
For most lua applications there is nothing to attack. The lua code
and the main application come from the same security context and
there's nothing you can do through the application you couldn't do
otherwise.
I think the worry here is more about potential buffer overflow or denial of service crashing type attacks, not malicious actions using the Lua library functions.
Evan
Sorry, I think I misunderstood you a bit, ignore my last comment there. You meant that something embedding Lua will run at the same level of security as the host application, correct?