lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Dec 18, 2013, at 6:43 PM, Rena <hyperhacker@gmail.com> wrote:

> It's very tempting to write config files that are just Lua scripts that construct tables/strings and call some pre-defined functions. The only problem with this is that a faulty or malicious config file can do a lot more than a config file should be able to do.

My solution for this problem would be to disallow almost all keywords and only allow variable assignments and table creation. The environment will also not contain any functions, actually, the environment for parsing lua-based config files will be entirely empty before parsing the file. After the file is parsed the environment would then contain the (global) variables defined in the config file.

Of course, this would require a patched Lua (like Lunia is!). Not a significant patch really, just a flag to indicate the file being parsed is a config file, which would then throw an error when "bad" keywords were encountered.

Using Lua code in config files is very doable, as an example you only need to look as far as World of Warcraft. They use Lua extensively for their AddOn system, including configuration files for the AddOns themselves. 

~pmd~