lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Normally, the way to do what you're doing would be to use luaL_loadstring, then set the environment on the returned function, then use lua_call/lua_pcall to invoke said function. This avoids the need to fiddle with the script itself.

22 September 2012 20:15
Well that was really easy, thank you Enrico!

If anyone cares, my mistake was assuming that variables assigned
inside the custom _ENV would be "globals" (i.e. retrievable with the C
API's lua_getglobal()). They are in fact fields of my custom _ENV
table (the sandbox_env table in the example I posted), retrievable in
C by first doing:
lua_getglobal(L, "sandbox_env");
then doing:
lua_getfield(L, -1, "my_variable");

This is very elegant as is the rest of Lua, thanks to everyone who
helped make such a nice language!

22 September 2012 19:27


If I understood correctly what you're doing, you should find any 'global' created by your sandboxed function inside your sandbox_env table.

22 September 2012 18:42
Sorry for the long post, a shorter version of my question is:

When running some Lua script through the C API, and the script assigns
a custom _ENV (a sandbox whitelist) and then assigns some variables,
how can I access those variables later from the C API?

Using the same lua_State that was used to run the script, with the
lua_getglobal() function, all the assigned variables are returning as
nil. Am I missing something really important here? I've scoured
through the docs, the mailing list archives, google, and stack
overflow, and I can't find a straight answer to this... I see lots of
references to the Lua function debug.setupvalue(), but I don't
understand what that does or if I should be trying to use that to
solve my problem.

21 September 2012 20:19
Hi,
I'm completely new to Lua, but loving it already. However, I've been
having issues with sandboxing the environment for an embedded C++
project. Clearly I'm doing it wrong, but I haven't been able to find
information online about the right way to do it.

Basically, my C++ engine is going to use Lua scripts for some of its
configuration and program logic, and I'm trying to force the scripts
into a sandbox using the method outlined here:
http://stackoverflow.com/questions/1224708/how-can-i-create-a-secure-lua-sandbox/6982080#6982080

Of course, this method works well if you're dealing in pure Lua, but
I'm trying to use the Lua C API's luaL_dostring() function to load the
script. How I do this is I make a string containing the Lua code for
setting _ENV = my_whitelist_table, then I concatenate it to the front
of a string containing the actual Lua script I want to run in the
sandbox. The problem is, as soon as I assign my whitelist to _ENV,
something seems to break because I can't access any of the variables
or functions defined in the script from C++ after luaL_dostring()
finishes running. If I ditch the sandboxing and just run the script
(without changing _ENV), I can push and retrieve globals from the
stack, but after changing _ENV, all the globals are nil as soon as the
string of Lua code finishes running, and I can't get at them from C++.

Here is a snippet of what I'm doing on the C++ side:
//--------------------------------
lua_State* sandboxed_L(luaL_newstate());
luaL_openlibs(sandboxed_L);

std::string Lua_whitelist( // my real whitelist is much bigger
"print = print"
);

std::string Lua_sandboxing_script(
"sandbox_env = { " + Lua_whitelist + " } "
"_ENV = sandbox_env "
);

// open Lua script to run here, and load its contents into a string
std::string Lua_script_to_run(some_lua_script_file.contents());

std::string Lua_sandboxed_script_to_run( Lua_sandboxing_script +
Lua_script_to_run )

if (luaL_dostring(sandboxed_L, Lua_sandboxed_script_to_run))
{
// error checking
}
//--------------------------------

All globals seem to be lost after this code is finished running, which
means I can't get anything from the script into my C++ engine. The
problem is not present if I remove the parts where I assign the
whitelist to _ENV.

I must be doing it the wrong way. Can anyone point me in the right
direction? I'd really prefer a whitelist approach similar to this if
possible, it would be much better than diving into Lua's sources and
removing all the functions I don't want. Sorry if this has already
been discussed, I just couldn't find it anywhere.