[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Looking for evil code samples to test in a sandbox environment.
- From: Peter Cawley <lua@...>
- Date: Sun, 25 Apr 2010 00:23:29 +0100
On Sat, Apr 24, 2010 at 8:10 PM, Stuart P. Bentley
<stuart@testtrack4.com> wrote:
> Take a look at the way the offivial Lua live demo is set up.
>
> http://www.tecgraf.puc-rio.br/~lhf/ftp/lua/5.1/demo.tar.gz
This is a useful resource, but it lacks rationale for what is being
done in demo.lua - my remarks on the less obvious items are:
debug.getfenv=getfenv -- This prevents grabbing the environment of a C
function. In particular, it prevents doing debug.getfenv(module) to
grab the package table.
package.loaded.io=io -- This means that doing module("io", function(X)
code_here end) will pass the sandboxed io library as the X parameter
rather than passing the original io library.
package.loaded.package=nil -- This means that doing module("package",
function(X) code_here end) will pass a new table as the X parameter
rather than passing the original package table (which contains nasty
things like loadlib and loaders[2] through loaders[4]).
I would also add some code to demo.lua to prevent loadstring() from
loading precompiled chunks.
