Re: Some thoughts on security

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Some thoughts on security
From: nobody <nobody+lua-list@...>
Date: Mon, 12 Dec 2016 01:31:51 +0100

On 2016-12-12 01:11, Nagaev Boris wrote:
>     Beside what Daurnimator said in a parallel thread, the sentence you
>     quoted applies to Lua source code, not bytecode.
> 
>     —Pierre-Yves
> 
> Lua program can load bytecode using load function.

and os.execute "rm -rf /*" and …, so you obviously have to sandbox
anything untrusted.  Assuming you removed the debug library (and ensured
that the untrusted code can't get it back),

do
  local old_load = load
  function     load( src, src_what, _mode, env )
    return old_load( src, src_what,   "t", env )
  end
end

hard-codes the mode, forbidding binary chunks.  Without getupvalue, you
can't get it back.

-- Marco

References:
- Some thoughts on security, Samuel Groß
- Re: Some thoughts on security, Pierre-Yves Gérardy
- Re: Some thoughts on security, Nagaev Boris

Prev by Date: Re: Some thoughts on security
Next by Date: Exception: "L->l_G->_defaultmeta.value.gc was nullptr"
Previous by thread: Re: Some thoughts on security
Next by thread: Re: Some thoughts on security
Index(es):
- Date
- Thread