|
On 11/09/2011 16.45, Daurnimator wrote:
On 12 September 2011 00:26, Richter, Jörg<Joerg.Richter@pdv-fs.de> wrote:In Lua you cannot sandbox a metatable away. An offending script still might just call getmetatable.Then use __metatable: http://www.lua.org/manual/5.1/manual.html#pdf-getmetatable JörgAs a note to using __metatable; its a good idea to return a string/object unique to each metatable. Its nice if code can use getmetatable() to check for type equality.
Couldn't you simply use the metatable itself as a "type identfier"?If you are concerned about security and don't want to expose the metatable, returning a "type token" using __metatable just moves the issue.
In fact any client can store the token and then create bogus objects with fake identity (when asked they could return the previously stored token) so we have another security hole (of another kind).
Or am I missing something?
D
-- Lorenzo