[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: getmetatable-esque metamethod [Forked from:] metatables for strings?
- From: Nagaev Boris <bnagaev@...>
- Date: Sun, 3 May 2015 21:39:46 +0000
On Sun, May 3, 2015 at 8:38 PM, Dirk Laurie <email@example.com> wrote:
> 2015-05-03 21:24 GMT+02:00 Andrew Starks <firstname.lastname@example.org>:
>> I could not bare to triple post, and this idea is different enough
>> that I'll take the opportunity to fork...
>> sand boxing the string's metamethods is something that would be nice
>> to be able to do, but it is hard to imagine that feature existing
>> without something being treated as "special".
>> I don't know if this mechanism would be general and useful enough for
>> consideration, but I did think of a way that I believe could be used
>> to solve this problem.
> It is trivial to sandbox a string's methods.
> $ lua
> Lua 5.3.0 Copyright (C) 1994-2015 Lua.org, PUC-Rio
>> getmetatable"".__metatable = "Sandboxed!"
>> string = nil
>> str = "The quick brown fox"
>> for k in str:gmatch"%S+" do print(k) end
This is exactly what I want to prevent.
Even some built-in string methods are considered dangerous, at least
string.dump . Not to mention methods added to string by 3d party
Sanboxed code must not call string.dump, while it is still needed
outside the sandbox. Here is some practical example showing why it is
a bad idea to expose string.dump to untrusted code .