lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Rena:

> I'm also considering the situation where the "config" file is some complex description of something (say, a level for a game), and people will be sharing and downloading them - it would be ideal if they didn't have to worry that those files might be malicious.

I use something very similar to what Luiz proposed combined with
Roberto's suggestion on this list to disallow function calls using
debug hook: http://lua-users.org/lists/lua-l/2013-01/msg00287.html

The referenced thread may be interesting to re-read as well.

Paul

On Wed, Dec 18, 2013 at 6:03 PM, Rena <hyperhacker@gmail.com> wrote:
> On Wed, Dec 18, 2013 at 8:59 PM, Luiz Henrique de Figueiredo
> <lhf@tecgraf.puc-rio.br> wrote:
>>
>> > It's very tempting to write config files that are just Lua scripts that
>> > construct tables/strings and call some pre-defined functions. The only
>> > problem with this is that a faulty or malicious config file can do a lot
>> > more than a config file should be able to do.
>>
>> If that's for a program meant for the end user, why try to avoid letting
>> them shoot themselves in the foot?
>>
>> If that's for a server, if they are config files, aren't they trusted?
>>
>> Bottom line: what damage do you expect can be done? to whom?
>
>
> That's true, and this is the mindset I've used so far. Unfortunately in
> practice, a user's config files are usually stored somewhere in their $HOME,
> and anything they run can write to any file there, so some malicious program
> could go tampering with some other program's config. I'm also considering
> the situation where the "config" file is some complex description of
> something (say, a level for a game), and people will be sharing and
> downloading them - it would be ideal if they didn't have to worry that those
> files might be malicious.