lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Thu, Feb 25, 2010 at 2:55 PM, Roberto Ierusalimschy wrote:
> (BTW, loadfile [and require] is quite insecure to be allowed in sandboxes, as it
> may load binary files that can crash your program.)

Would it be desirable to have a rule that functions that may crash
your program can only exist in the debug library?

There are times when I want my application to load a user-supplied Lua
script in non-binary form via a function like loadfile or require, and
I don't need to secure it in a sandbox against things like
os.execute("rm -fr /") because the user is trusted or at least not any
less trusted than the operating system trusts the user (e.g. the
operating system may prevent "rm -fr /").  However, it is common to
treat any possibility for user input to irreparably corrupt or crash
an application as a bug.  Maintaining that contract would
unfortunately require avoiding these two very pervasive functions and
reimplementing them over and over in terms of load(ls, source, 't').
How many people would think or spend the time to do that? particularly
when developing third parties modules used as components in larger
systems that may want to enforce this contract?  Perhaps loading
binary modules outside could be enabled/disabled globally via a switch
in luaconf.h or during runtime.  But you might not want to completely
disable it because you might want to load compiled binary code that is
trusted not to crash (e.g. compiled with lua2c and embedded in the
executable with bin2c).