lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Thanks for the reply Matthew. It was helpful.

newproxy is define in base_open, which as far as I can tell is pretty
fundamental, even in a sandbox environment. I should have read its
implementation more carefully, then I'd have noticed newproxy sooner.

The wiki article you pointed out is a great review of what is out
there, but it doesn't mention newproxy either :-)

> it's not hard to make a C module that exports a newproxy() function if you need it

Yes, I agree that newproxy should be put in a library. I think what
surprised me is that there would be an undocumented feature like this
in Lua. Overall it is such a nice, concise and well documented
implementation.

-Erik



On Fri, Aug 6, 2010 at 6:28 PM, Matthew Wild <mwild1@gmail.com> wrote:
>
> On 7 August 2010 02:01, Erik Cassel <erik@roblox.com> wrote:
> >
> > While investigating a security breach in some of our sandbox code I came
> > upon the undocumented "newproxy" feature. From a security point of view it
> > seems scary because it allows you to somehow play with metamethods of
> > userdata objects.
>
> It only allows you to play with the metamethods of userdata you
> create, you can't setmetatable() on a userdata returned by newproxy,
> only clone existing proxies. Still yes, it's not a function I'd expect
> to see in a sandbox.
>
> > Are there any other "undocumented" surprises in Lua?
>
> If newproxy() was in your sandbox (especially without your knowledge)
> then it wasn't a very good sandbox. To make a sandbox you should start
> with an empty environment and pull in only functions you know to be
> safe. In fact there's a good guide on sandboxing on the wiki,
> including listing safe/unsafe standard functions:
> http://lua-users.org/wiki/SandBoxes
>
> > Yes, people use newproxy in clever ways and I'm sure they rely on it. So
> > please do one of the following:
> > 1) Make it an official part of the language
> > 2) Put it in the documentation as an unsupported feature
> > 3) Turn it off  by default. Allow it to be enabled in luaconf.h
> > I think option 3 is the best one. If something isn't documented then most
> > people won't use it, so it just bloats the code. Turn it off by default and
> > then let people opt into it.
>
> I agree with any of those, though I favour 3 least. If going that far
> however then I'd say just remove it completely - it's not hard to make
> a C module that exports a newproxy() function if you need it, easier
> than rebuilding Lua for most people.
>
> Matthew