Re: Reducing Lua's Trusted Computing Base

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Reducing Lua's Trusted Computing Base
From: "Stuart P. Bentley" <stuart@...>
Date: Mon, 02 Aug 2010 11:44:26 -0400

On Tue, 27 Jul 2010 19:46:12 -0400, Luiz Henrique de Figueiredo<lhf@tecgraf.puc-rio.br> wrote:

Bottom line: accept Lua plugins and servelets in text form only andsandbox
whatever is needed.

Reminder to force load() to load text in the same low-privilege sandbox asthe servlet. You don't want to create a hole by letting functions dowhatever they want as long as they wrap it in a load[==[...]==]!

Prev by Date: Re: [ANN] Lua 5.2.0 (work4) now available
Next by Date: 5.2 bytecode verifier library
Previous by thread: Re: bug in Lua 5.1.4 with GC, userdata and fenv
Next by thread: 5.2 bytecode verifier library
Index(es):
- Date
- Thread