lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

At 17:15 28/01/2004, you wrote:

Almost all of the code is written purely in terms of the standard library
(one or two routines use standard Unix command-line utilities via
os.execute).
os.execute and io.popen are scary functions. When using them, you have to be very certain about the contents of the strings being passed in. I'm going to 

Whilst on that topic (or not), I thought I'd just mention what we've done here.
We've modified the standard functions so that 'os.execute', 'os.popen' and some other things (eg os.open etc) are classed as 'sensitive' functions.
A lua script can call a function 'io.enablesecurity("password")' which will disable all these functions, until 'io.disablesecurity("password")' is called.
This is because, if we make lua scripting available to users, we want to be able to turn off these functions, so we can call our own script first which sets security and then calls the user script.
I actually think this would be quite a nice feature in the 'normal' lua release as it doesn't affect anything unless you use the 'io.enablesecurity' function to disable the functions, but it gives you that flexibility. The extra security checking does slow things down a bit (obviously), but since it's only on os type functions, they're pretty slow anyway ;-) 


Paul				VPOP3 - Internet Email Server/Gateway
support@pscs.co.uk			http://www.pscs.co.uk/