lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Thu, Mar 05, 2009 at 02:49:23PM -0000, John Hind wrote:
> Now you really have me confused! Surely most Lua apps accept "arbitrary user
> code"? After all it is a configuration and customisation language and this
> is the whole point. Sure, I guess most such apps do not *expect* to load
> binary files, but as long as they use the same input stream this will remain
> a possible attack vector.

For most lua applications there is nothing to attack.  The lua code
and the main application come from the same security context and
there's nothing you can do through the application you couldn't do