lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> In fact, this behavior makes it HARDER to sandbox untrusted functions,
> though Roberto would no doubt point out that you cannot trust bytecode
> anyway, and should only load Lua text, which will have a correctly
> wired “main” chunk function.

I will point out another thing. There is a difference between sandboxing
a function and sandboxing a chunk. A function can access the environment
through *any* of its upvalues; there is nothing special about _ENV.

  local g, m = _G, math
  function untrusted ()
    for k in pairs(m) do m[k] = nil end
    for k in pairs(g) do g[k] = nil end
  end

So, if you want to call an untrusted function, you should check all
its upvalues, not only _ENV or the first one.

A chunk, on the other hand, is loaded with no upvales, except the first
one (if you did not take care of it). Changing that first upvalue to nil
will ensure that the resulting function has no external access, no matter
whether that first one was _ENV or not. Again, there is nothing special
about _ENV.

So, our view is: we do not want to treat _ENV in a special way because
really there is nothing special about it.

-- Roberto