lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> Aha, this thread has come back to life. I was a bit confused. :-)
> 
> There are a lot of simple ways to consume a huge amount of CPU time and
> memory with very few Lua statements. One of my favourites is:
> 
> s = ('xxxxxxxxxxxxxxxx'):rep(99999999):rep(99999999):rep(99999999)
> 
> This not only consumes a lot of memory, but because nearly all of the time
> is spent in string.rep, debug hooks won't be called either (the entire
> function call is a single Lua operation). And even if you don't provide
> string.rep, there may be many other C functions that can be exploited
> similarly. How about io.lines('/dev/urandom')? It forces you to be very
> careful about any C function you provide. (Or use the OS provided
> mechanisms to limit CPU time for the entire thread/process.)

With the sandbox I proposed, you cannot call arbitrary library
functions. Of course, for any sandbox you have to be very careful
about any C function you provide. (However, for a configuration file
you probably do not need many functions, if any at all.)  But your
example called my attention to the backdoor of the string lib, that
can be called directly from strings.  This is easily fixed by checking
functions in the call hook.

-- Roberto