[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: [PATCH] 'data' mode for loadfile
- From: steve donovan <steve.j.donovan@...>
- Date: Mon, 17 Mar 2014 21:34:52 +0200
On Mon, Mar 17, 2014 at 8:41 PM, Thijs Schreijer
> Solutions are nice, but is there some list of potential problems? What I mean is; what should I consider to protect against when sandboxing?
There's the wiki page: http://lua-users.org/wiki/SandBoxes
I mentioned the string metatable thing because it's easy to overlook;
you might exclude the string library, and then someone could use it
through a string literal. String functions can be used to construct a
very effective explosive.
But the Billion Laughs attack, that's a nasty one. The problem with
dynamic solutions (restricting memory, restricting instruction count)
is that they are going to slow Lua down, which is an issue with
reading big data files.