Re: Question on get/setmetatable()

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Question on get/setmetatable()
From: "Joseph C. Sible" <josephcsible@...>
Date: Sat, 23 May 2020 14:35:11 -0400

On Sat, May 23, 2020 at 2:18 PM Andrea <andrea.l.vitali@gmail.com> wrote:
>
> It seems that having set/getmetable() is the best in the end: easy to sandbox.
>

This is a pet peeve of mine: you don't ever need to restrict
setmetatable or getmetatable. You can't use setmetatable on non-tables
even with no sandboxing, and that plus using __metatable appropriately
is enough for a well-designed application to protect against all
attacks that restricting those functions could protect against, but
without giving up nearly as much useful functionality.

Joseph C. Sible

References:
- Question on get/setmetatable(), Andrea
- Re: Question on get/setmetatable(), pocomane
- Re: Question on get/setmetatable(), Philippe Verdy
- Re: Question on get/setmetatable(), Andrea
- Re: Question on get/setmetatable(), Philippe Verdy
- Re: Question on get/setmetatable(), Andrew Gierth
- Re: Question on get/setmetatable(), Andrea

Prev by Date: Re: question on <const>
Next by Date: Re: Can't interrupt tight loops in Lua 5.4 anymore?
Previous by thread: Re: Question on get/setmetatable()
Next by thread: Re: Question on get/setmetatable()
Index(es):
- Date
- Thread