[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: newproxy surprise... anything else out there I should be worried about???
- From: Erik Cassel <erik@...>
- Date: Fri, 6 Aug 2010 18:01:59 -0700
While investigating a security breach in some of our sandbox code I came upon the undocumented "newproxy" feature. From a security point of view it seems scary because it allows you to somehow play with metamethods of userdata objects.
Are there any other "undocumented" surprises in Lua?
Yes, people use newproxy in clever ways and I'm sure they rely on it. So please do one of the following:
1) Make it an official part of the language
2) Put it in the documentation as an unsupported feature
3) Turn it off by default. Allow it to be enabled in luaconf.h
I think option 3 is the best one. If something isn't documented then most people won't use it, so it just bloats the code. Turn it off by default and then let people opt into it.
Thanks,
-Erik