Re: disallow interaction with "outside world"

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: disallow interaction with "outside world"
From: Nagaev Boris <bnagaev@...>
Date: Thu, 2 Jul 2015 09:17:48 +0000

>>
>> With sandboxing, you can start from [2]. Most difficult things are
>> isolating 'string' metatable (otherwise its members are available
>> through any string variable) and prevention of DoS attacks (like
>> `while true do end`, which can bypass `debug.sethook` on some Lua
>> implementations).
>>
>
> I'd be surprised if "while true do end" can break debug hooks,

Please try this code under Lua and LuaJIT:

$ cat dos.lua
debug.sethook(function()
    print 'hook'
end, "", 1e3)
while true do end

$ lua dos.lua
hook
hook
hook
...

^C
$ luajit dos.lua
<prints nothing>

> since
> it's not making any C calls. Any time you make a C function available
> though (such as string.rep) you have to watch out that the user can't
> abuse it to overwhelm your app, e.g. with string.rep("a", 99999999) or
> ("a"):rep(9999):rep(9999):rep(9999):rep(9999)...

This is another problem...

-- 


Best regards,
Boris Nagaev

References:
- disallow interaction with "outside world", Nathan Hüsken
- Re: disallow interaction with "outside world", Ignacio Burgueño
- Re: disallow interaction with "outside world", Nathan Hüsken
- Re: disallow interaction with "outside world", Nagaev Boris
- Re: disallow interaction with "outside world", Rena

Prev by Date: Re: disallow interaction with "outside world"
Next by Date: RE: How to "ask for" and "pass" values between Lua and C?
Previous by thread: Re: disallow interaction with "outside world"
Next by thread: Re: disallow interaction with "outside world"
Index(es):
- Date
- Thread