Re: [PATCH] 'data' mode for loadfile

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: [PATCH] 'data' mode for loadfile
From: steve donovan <steve.j.donovan@...>
Date: Mon, 17 Mar 2014 21:34:52 +0200

On Mon, Mar 17, 2014 at 8:41 PM, Thijs Schreijer
<thijs@thijsschreijer.nl> wrote:
> Solutions are nice, but is there some list of potential problems? What I mean is; what should I consider to protect against when sandboxing?

There's the wiki page: http://lua-users.org/wiki/SandBoxes

I mentioned the string metatable thing because it's easy to overlook;
you might exclude the string library, and then someone could use it
through a string literal.  String functions can be used to construct a
very effective explosive.

But the Billion Laughs attack, that's a nasty one.  The problem with
dynamic solutions (restricting memory, restricting instruction count)
is that they are going to slow Lua down, which is an issue with
reading big data files.

Follow-Ups:
- Re: [PATCH] 'data' mode for loadfile, Jay Carlson

References:
- [PATCH] 'data' mode for loadfile, steve donovan
- Re: [PATCH] 'data' mode for loadfile, Ashwin Hirschi
- Re: [PATCH] 'data' mode for loadfile, Roberto Ierusalimschy
- Re: [PATCH] 'data' mode for loadfile, steve donovan
- RE: [PATCH] 'data' mode for loadfile, Thijs Schreijer

Prev by Date: Re: Adding debug hook for error/yield/resume
Next by Date: Re: Using Lua for config files
Previous by thread: RE: [PATCH] 'data' mode for loadfile
Next by thread: Re: [PATCH] 'data' mode for loadfile
Index(es):
- Date
- Thread