Secure Lua

["Erik Cassel" <erik@...>]

A purported benefit of Lua over some other languages (notably Python) is
that it can be run in a reasonably secure, sandboxed mode. I am integrating
Lua into a game where end-users can write scripts and share them with
others.

Aside from any as-yet undiscovered bugs, Lua should be 100% secure if you do
not load any libraries.

How safe are the 5.0.2 standard libraries?  Here's my guess:

* luaopen_base: UNSAFE. "dofile", "loadfile" and "require" look scary to me.
For example, if I tried to load a local file from the user's hard drive and
happened to get a file with a credit card number, are we really sure there's
no way that the script can access the content?  

* luaopen_loadlib: UNSAFE. A malicious script could load a C library
masquerading as a jpg or something in your internet cache.  (The manual
claims that loadlib is part of the base library. Thankfully, it isn't!)

* luaopen_math: Safe

* luaopen_table: Safe

* luaopen_string: Safe.  I'm happy to see that str_format() does checks on
parameters before calling sprintf.  Can the Lua authors confirm that they
wrote the string library with the intention of preventing crashes and
exploits?

* luaopen_io: UNSAFE.  The I/O library gives the scripter access to the
local file system. The os calls are, of course, unsafe as well.

* luaopen_debug: Safe?


Now here's a problem: Coroutines are a subset of the base library, which
means you can't use coroutines without exposing "dofile", "loadfile" and
"require".


Has anybody investigated this further than I have?  Have I missed any
potential exploits?  Any comments, especially regarding the safety of
luaopen_base?

-Erik