lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> I guess I added an extra comma. Lua does provide several functions that
> you can write yourself, but usually they are useful in many situations,
> not only to build very specific sandboxes.

Well, I disagree that being able to load a file into an environment
isn't useful in general. My main issue is really just that loadfile,
loadstring, dofile, and presumably require() load into the global
environment rather than the current one.

> It does not. 'require' should never be allowed in sandboxes, unless
> you want your sandboxes to have access to sockets, databases, etc.
> (It would look more like a beach than a sandbox ;)

I'll admit, "sandbox" was just the first term that came to mind. I was
more about namespacing (and even that might not be the right word),
keeping code defined in one file in its own space and with access to
only the items I decide to let it access. My goal is rather more
general than a secure sandbox.

As a perhaps silly example, perhaps I'd like to run a file multiple
times, each time with a different environment. Or I'd have several
third-party plugins, and want to use a single Lua interpreter to
contain them, by using environments to encapsulate them. I'd let them
access require, but perhaps not loadfile/dofile, and simply limit the
locations that package.path looks in. (This is assuming that require()
looks in the global environment for the package table always, but
loads into the caller's environment). Does that sound sensible?