lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Mike Pall <mikelu-1102 <at>> writes:
> That's not a viable approach for sandboxing. The only reasonably
> safe way to run untrusted/malicious Lua scripts is to sandbox it
> at the process level.

What you are saying applies only to FFI, right?  Without FFI,
can't either Lua or LuaJIT be very tightly sandboxed in-process
with an approach like this?

This might be a reason to maintain both FFI and non-FFI bindings
for C libraries: FFI for speed, non-FFI when robust sandboxing of
untrusted code is required.

If this analysis is sound, I think my FFI bindings will indeed
use the ctype finalizer support you have just added, since the
cdata-wrapping userdata isn't actually any more secure than
giving the user a cdata directly, from a sandboxing perspective
(it's just a little bit more obscure).