lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Thu, Jul 2, 2015 at 3:16 AM, Nagaev Boris <> wrote:
> On Wed, Jul 1, 2015 at 8:00 PM, Nathan Hüsken <> wrote:
>> On 01.07.2015 21:37, Ignacio Burgueño wrote:
>>> On Wed, Jul 1, 2015 at 4:27 PM, Nathan Hüsken <>
>>> wrote:
>>>> Dear Lua community,
>>>> I am completely new to lua (not to programming) and also to this
>>>> community, so hello everyone :-).
>>> Welcome, Nathan.
>>> Surely someone more versed on sandboxes will pop soon, but in the meantime,
>>> you can search the archives of the mailing list for "sandboxing", because
>>> that is an issue that gets regularly discussed.
>> Ok, cool. That is exactly what I am looking for!
>> I might also be targeting the browser. Does sandboxing also work with an
>> javascript interpreter like moonshine? I am wondering because as far as
>> I can see the way a script is loaded is different.
>> Thanks!
>> Nathan
> (Unrelated) You can find several Lua implementations in JavaScript and
> other cool Lua software [1].
> With sandboxing, you can start from [2]. Most difficult things are
> isolating 'string' metatable (otherwise its members are available
> through any string variable) and prevention of DoS attacks (like
> `while true do end`, which can bypass `debug.sethook` on some Lua
> implementations).
> My own sandbox implementation [3]. In my implementation, 'string'
> metatable is isolated at the cost of side effect: when sandboxed code
> is called, metatable of all strings is changed. It can break
> non-sandboxed code operating with strings called from sandboxed code.
> Maybe this can be fixed by providing __index metamethod to that
> metatable of 'string' so that 'string' behaves like normal 'string' in
> non-sandboxed code called from sandboxed code. This information can be
> provided by debug.getinfo. Not implemented yet!
> [1]
> [2]
> [3]
> --
> Best regards,
> Boris Nagaev

I'd be surprised if "while true do end" can break debug hooks, since
it's not making any C calls. Any time you make a C function available
though (such as string.rep) you have to watch out that the user can't
abuse it to overwhelm your app, e.g. with string.rep("a", 99999999) or

Sent from my Game Boy.