lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Wed, Dec 18, 2013 at 8:59 PM, Luiz Henrique de Figueiredo <lhf@tecgraf.puc-rio.br> wrote:
> It's very tempting to write config files that are just Lua scripts that
> construct tables/strings and call some pre-defined functions. The only
> problem with this is that a faulty or malicious config file can do a lot
> more than a config file should be able to do.

If that's for a program meant for the end user, why try to avoid letting
them shoot themselves in the foot?

If that's for a server, if they are config files, aren't they trusted?

Bottom line: what damage do you expect can be done? to whom?

That's true, and this is the mindset I've used so far. Unfortunately in practice, a user's config files are usually stored somewhere in their $HOME, and anything they run can write to any file there, so some malicious program could go tampering with some other program's config. I'm also considering the situation where the "config" file is some complex description of something (say, a level for a game), and people will be sharing and downloading them - it would be ideal if they didn't have to worry that those files might be malicious.