lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


If you control the code that loads the untrusted Lua script and don't intend on modifying lua itself, I think you can achieve a "sandboxed" environment by using the setfenv function.

You could load the untrusted script through something like

chunk = loadfile("script.lua")
setfenv(chunk, {/* in this table you place only the functions that you don't consider harmful */ print = print})
script_result = chunk()

Em Seg, 3 de set de 2018 16:12, Brice André <brice@famille-andre.be> escreveu:
Dear all,

I am trying to embed Lua for a sandbox scripting language, where all potentially harmful functions would be deactivated.

To do so, I patched the file "linit.c" and commented all lines of "loadedlibs" declaration:

static const luaL_Reg loadedlibs[] = {
 // {"_G", luaopen_base},
 // {LUA_LOADLIBNAME, luaopen_package},
 // {LUA_COLIBNAME, luaopen_coroutine},
 // {LUA_TABLIBNAME, luaopen_table},
 // {LUA_IOLIBNAME, luaopen_io},
 // {LUA_OSLIBNAME, luaopen_os},
 // {LUA_STRLIBNAME, luaopen_string},
 // {LUA_MATHLIBNAME, luaopen_math},
 // {LUA_UTF8LIBNAME, luaopen_utf8},
 // {LUA_DBLIBNAME, luaopen_debug},
#if defined(LUA_COMPAT_BITLIB)
 // {LUA_BITLIBNAME, luaopen_bit32},
#endif
  {NULL, NULL}
};

As a result, functions like 'io.open' are no more available. But I am a little puzzled because some functiosn declared in "luaopen_base", like "print" function, are still available.

A I doing something wrong, or am I missing something ?

Or maybe is there a simpler/safer way of achieving what I am tring to do ?

Thanks in advance for your help,

Brice