[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Using Lua for config files
- From: Luiz Henrique de Figueiredo <lhf@...>
- Date: Wed, 18 Dec 2013 23:59:01 -0200
> It's very tempting to write config files that are just Lua scripts that
> construct tables/strings and call some pre-defined functions. The only
> problem with this is that a faulty or malicious config file can do a lot
> more than a config file should be able to do.
If that's for a program meant for the end user, why try to avoid letting
them shoot themselves in the foot?
If that's for a server, if they are config files, aren't they trusted?
Bottom line: what damage do you expect can be done? to whom?
Anyway, one simple way to avoid most problems is to force the config file
to be a Lua table, like this:
{
....
}
Then add "return " before loading it. Lo behold, no loops etc are allowed.
You just need to worry about what functions the script will see.
(You can even hide { and } in the loader, so that your config file will
just be a series of assignments, but you need to require that each assignment
ends with a semicolon.)
But unfortunately one can still write anonymous functions
and then write full-blown Lua programs inside them:
{
malice = (function () while true do end end)()
}
Now if you can patch your Lua lexer to avoid the keyword "function", then
you're ok. One simple way is to change "function" to "function " (note the
space). You can also clear the "reserved" flag for the string "function"
just before loading the config file.
