[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: LuaJIT FFI __gc metamethod?
- From: Mike Pall <mikelu-1102@...>
- Date: Mon, 28 Feb 2011 22:45:33 +0100
Josh Haberman wrote:
> Mike Pall <mikelu-1102 <at> mike.de> writes:
> > That's not a viable approach for sandboxing. The only reasonably
> > safe way to run untrusted/malicious Lua scripts is to sandbox it
> > at the process level.
> What you are saying applies only to FFI, right? Without FFI,
> can't either Lua or LuaJIT be very tightly sandboxed in-process
> with an approach like this?
No, it applies to Lua in general. The advice in that page is
incomplete and outright dangerous. E.g. string.find() can lock up
your CPU and, nope, setting a hook won't help here:
string.find(string.rep("a", 50), string.rep("a?", 50)..string.rep("a", 50))
Ditto for quite a few other standard functions. And trying to
close all loopholes in your interface code, which is exposed to
the untrusted code, is near hopeless (e.g. never use tostring() in