lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Wed, Jul 1, 2015 at 8:00 PM, Nathan Hüsken <> wrote:
> On 01.07.2015 21:37, Ignacio Burgueño wrote:
>> On Wed, Jul 1, 2015 at 4:27 PM, Nathan Hüsken <>
>> wrote:
>>> Dear Lua community,
>>> I am completely new to lua (not to programming) and also to this
>>> community, so hello everyone :-).
>> Welcome, Nathan.
>> Surely someone more versed on sandboxes will pop soon, but in the meantime,
>> you can search the archives of the mailing list for "sandboxing", because
>> that is an issue that gets regularly discussed.
> Ok, cool. That is exactly what I am looking for!
> I might also be targeting the browser. Does sandboxing also work with an
> javascript interpreter like moonshine? I am wondering because as far as
> I can see the way a script is loaded is different.
> Thanks!
> Nathan

(Unrelated) You can find several Lua implementations in JavaScript and
other cool Lua software [1].

With sandboxing, you can start from [2]. Most difficult things are
isolating 'string' metatable (otherwise its members are available
through any string variable) and prevention of DoS attacks (like
`while true do end`, which can bypass `debug.sethook` on some Lua

My own sandbox implementation [3]. In my implementation, 'string'
metatable is isolated at the cost of side effect: when sandboxed code
is called, metatable of all strings is changed. It can break
non-sandboxed code operating with strings called from sandboxed code.
Maybe this can be fixed by providing __index metamethod to that
metatable of 'string' so that 'string' behaves like normal 'string' in
non-sandboxed code called from sandboxed code. This information can be
provided by debug.getinfo. Not implemented yet!



Best regards,
Boris Nagaev