[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Some thoughts on security
- From: nobody <nobody+lua-list@...>
- Date: Mon, 12 Dec 2016 01:31:51 +0100
On 2016-12-12 01:11, Nagaev Boris wrote:
> Beside what Daurnimator said in a parallel thread, the sentence you
> quoted applies to Lua source code, not bytecode.
> Lua program can load bytecode using load function.
and os.execute "rm -rf /*" and …, so you obviously have to sandbox
anything untrusted. Assuming you removed the debug library (and ensured
that the untrusted code can't get it back),
local old_load = load
function load( src, src_what, _mode, env )
return old_load( src, src_what, "t", env )
hard-codes the mode, forbidding binary chunks. Without getupvalue, you
can't get it back.