[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: disallow interaction with "outside world"
- From: Nagaev Boris <bnagaev@...>
- Date: Thu, 2 Jul 2015 07:16:36 +0000
On Wed, Jul 1, 2015 at 8:00 PM, Nathan Hüsken <email@example.com> wrote:
> On 01.07.2015 21:37, Ignacio Burgueño wrote:
>> On Wed, Jul 1, 2015 at 4:27 PM, Nathan Hüsken <firstname.lastname@example.org>
>>> Dear Lua community,
>>> I am completely new to lua (not to programming) and also to this
>>> community, so hello everyone :-).
>> Welcome, Nathan.
>> Surely someone more versed on sandboxes will pop soon, but in the meantime,
>> you can search the archives of the mailing list for "sandboxing", because
>> that is an issue that gets regularly discussed.
> Ok, cool. That is exactly what I am looking for!
> I might also be targeting the browser. Does sandboxing also work with an
> I can see the way a script is loaded is different.
other cool Lua software .
With sandboxing, you can start from . Most difficult things are
isolating 'string' metatable (otherwise its members are available
through any string variable) and prevention of DoS attacks (like
`while true do end`, which can bypass `debug.sethook` on some Lua
My own sandbox implementation . In my implementation, 'string'
metatable is isolated at the cost of side effect: when sandboxed code
is called, metatable of all strings is changed. It can break
non-sandboxed code operating with strings called from sandboxed code.
Maybe this can be fixed by providing __index metamethod to that
metatable of 'string' so that 'string' behaves like normal 'string' in
non-sandboxed code called from sandboxed code. This information can be
provided by debug.getinfo. Not implemented yet!