lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Mon, Mar 17, 2014 at 8:41 PM, Thijs Schreijer
<> wrote:
> Solutions are nice, but is there some list of potential problems? What I mean is; what should I consider to protect against when sandboxing?

There's the wiki page:

I mentioned the string metatable thing because it's easy to overlook;
you might exclude the string library, and then someone could use it
through a string literal.  String functions can be used to construct a
very effective explosive.

But the Billion Laughs attack, that's a nasty one.  The problem with
dynamic solutions (restricting memory, restricting instruction count)
is that they are going to slow Lua down, which is an issue with
reading big data files.