lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Wed, Dec 18, 2013 at 8:20 PM, Paige DePol <lual@serfnet.org> wrote:
On Dec 18, 2013, at 6:43 PM, Rena <hyperhacker@gmail.com> wrote:

> It's very tempting to write config files that are just Lua scripts that construct tables/strings and call some pre-defined functions. The only problem with this is that a faulty or malicious config file can do a lot more than a config file should be able to do.

My solution for this problem would be to disallow almost all keywords and only allow variable assignments and table creation. The environment will also not contain any functions, actually, the environment for parsing lua-based config files will be entirely empty before parsing the file. After the file is parsed the environment would then contain the (global) variables defined in the config file.

Of course, this would require a patched Lua (like Lunia is!). Not a significant patch really, just a flag to indicate the file being parsed is a config file, which would then throw an error when "bad" keywords were encountered.

Using Lua code in config files is very doable, as an example you only need to look as far as World of Warcraft. They use Lua extensively for their AddOn system, including configuration files for the AddOns themselves.

~pmd~



That's pretty much what I had in mind. You could potentially even do this yourself by parsing the input file manually, but it would be tricky to catch all possible "bad" cases (and at that point you may as well not use Lua for the config file at all).
I also don't think the environment needs to be completely empty. I usually provide nothing but a few functions and constants specifically for use in the config file, which accept some table or string and do something with it, so we can exploit Lua's nice flexible syntax and write nice things like:

file "myfile" {
    protected, --a variable from _ENV with a unique value
    path = "/home/rena/myfile",
}

On Wed, Dec 18, 2013 at 8:20 PM, William Ahern <william@25thandclement.com> wrote:
It will never be safe to load untrusted code, simply because it's naive to
assume that Lua will ever be without bugs. This last release fixed a couple
of issues that could have led to a crash or exploit using basic function
syntax, without access to any the base library.

Of course this is true, but Lua is pretty solid, and the only exploits I know of required things that a config file has no need for (debug library, bytecode). It can never be 100% safe, but then, can you trust that your own config parser is 100% safe? ;-)

--
Sent from my Game Boy.