lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


2015-05-03 20:38 GMT+02:00 Andrew Starks <andrew.starks@trms.com>:
> On Sunday, May 3, 2015, Nagaev Boris <bnagaev@gmail.com> wrote:
>> On Sun, May 3, 2015 at 5:06 PM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
>> > If the methods were all provided by the sandbox author, who presumably
>> > knows what he is doing, I don't see the problem.
>> >
>>
>> Can a sandbox isolate added string's methods? Can you provide
>> sandboxing function passing this test:
>>
>> string.hack = function() print("Hacked") end
>> code = [[ ("just string"):hack() ]]
>> sandbox(code)
>
> Also, you can use the debug library to discover the caller's environment and
> then call the methods found in the "strings" library of that _ENV or yours,
> if that table is absent.

Are you seriously proposing that a sandbox execute stuff from
the caller's environment? Seriously?