|
On Dec 18, 2013, at 6:43 PM, Rena <hyperhacker@gmail.com> wrote:My solution for this problem would be to disallow almost all keywords and only allow variable assignments and table creation. The environment will also not contain any functions, actually, the environment for parsing lua-based config files will be entirely empty before parsing the file. After the file is parsed the environment would then contain the (global) variables defined in the config file.
> It's very tempting to write config files that are just Lua scripts that construct tables/strings and call some pre-defined functions. The only problem with this is that a faulty or malicious config file can do a lot more than a config file should be able to do.
Of course, this would require a patched Lua (like Lunia is!). Not a significant patch really, just a flag to indicate the file being parsed is a config file, which would then throw an error when "bad" keywords were encountered.
Using Lua code in config files is very doable, as an example you only need to look as far as World of Warcraft. They use Lua extensively for their AddOn system, including configuration files for the AddOns themselves.
~pmd~
It will never be safe to load untrusted code, simply because it's naive to
assume that Lua will ever be without bugs. This last release fixed a couple
of issues that could have led to a crash or exploit using basic function
syntax, without access to any the base library.