lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> I'd vote against it.  Loading libraries from a secondary source (or even
> allowing an 'include' directive) can be a security hole for scripts. 
> Lua scripts are meant to be embedded in an application.  If the
> application does not wish to allow the user scripts to access the system
> resources, or load outside/untrusted code, it shouldn't be allowed.
> Sean Etc.
> On Thu, 2002-05-30 at 03:41, Asko Kauppi wrote:
> > 
> > As you can see from the thread, there's N solutions already for this...
> > me, it seems like a thing that should be done "centrally" (= within the
> > Lua's built-in sample interpreter) and then no-one would need to have
> > secondary libraries doing the same thing.

Reread the message you quote: "within the Lua's built-in sample
interpreter", ie. within lua.c.

The system functions are in external libraries, ie. you can easily embed Lua
in your system without them, or with only a carefully selected subset of
them (eg. read-only functions).

Now, your rant makes a point, we don't want applications embedding Lua to be
as insecure as Outlook [Express] :-)


Philippe Lhoste (Paris -- France)
Professional programmer and amateur artist

GMX - Die Kommunikationsplattform im Internet.