lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

2013/6/2 Dirk Laurie <>:
> Now that getfenv is finally dead and buried, is the function
> environment tamper-proof against anything short of
> debug.getupvalue?

(Sorry resend because of top-most. Gmail made it too easy.)

I don't think function environment is less temper-proof. Sure you can
modify it through something like debug.getupvalue for which you can
not do with the old "env". But that is pointless in terms of security
because what an attacker can put into _ENV is what the attacker
already has. The point of having a secured _ENV is to prevent the
attacker from getting what he does not have, rather than forbid one
from putting what he already has to anywhere.