[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: newproxy surprise... anything else out there I should be worried about???
- From: Matthew Wild <mwild1@...>
- Date: Sat, 7 Aug 2010 02:28:22 +0100
On 7 August 2010 02:01, Erik Cassel <erik@roblox.com> wrote:
>
> While investigating a security breach in some of our sandbox code I came
> upon the undocumented "newproxy" feature. From a security point of view it
> seems scary because it allows you to somehow play with metamethods of
> userdata objects.
It only allows you to play with the metamethods of userdata you
create, you can't setmetatable() on a userdata returned by newproxy,
only clone existing proxies. Still yes, it's not a function I'd expect
to see in a sandbox.
> Are there any other "undocumented" surprises in Lua?
If newproxy() was in your sandbox (especially without your knowledge)
then it wasn't a very good sandbox. To make a sandbox you should start
with an empty environment and pull in only functions you know to be
safe. In fact there's a good guide on sandboxing on the wiki,
including listing safe/unsafe standard functions:
http://lua-users.org/wiki/SandBoxes
> Yes, people use newproxy in clever ways and I'm sure they rely on it. So
> please do one of the following:
> 1) Make it an official part of the language
> 2) Put it in the documentation as an unsupported feature
> 3) Turn it off by default. Allow it to be enabled in luaconf.h
> I think option 3 is the best one. If something isn't documented then most
> people won't use it, so it just bloats the code. Turn it off by default and
> then let people opt into it.
I agree with any of those, though I favour 3 least. If going that far
however then I'd say just remove it completely - it's not hard to make
a C module that exports a newproxy() function if you need it, easier
than rebuilding Lua for most people.
Matthew