lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Roberto Ierusalimschy wrote:
>   code = "string with the code to be loaded"
>   f = loadstring("in ... do " .. code .. " end")

A.S. Bradbury Wrote:
> It doesn't compile for each environment. It compiles the function
> once, and allows you to pass in an environment on subsequent
> invocations. loadstring is called when you call multienv. You then
> have a compiled function you can pass different environments to. The
> code snippet in Roberto's post is much better though, and as lhf
> suggests load can be used to avoid the string concatenation.

I'm sorry, it looks like I misunderstood the code. Thanks for explaining
it again.

But now I noticed another problem which makes it look to me like you
can't use that for sandboxes at all. Consider the following code:

  code = "local dummy = nil end; do os.remove (\"something\")"
  f = loadstring ("in ... do " .. code .. " end")

The new function f would read (indented for clarity):
  in ... do
    local dummy = nil
  end;
  do
    os.remove ("something")
  end

Or did I miss something again?

Of course it would be possible to compile the string first without using
the environment wrapper and only if that works compile it again with the
wrapper. But that would already require two compilations so in case the
code is needed only once it would even reduce the efficiency.

So I guess I should just drop the idea of reusing compiled untrusted
code in multiple sandboxes.

-- David