Re: Lua 5.3, _ENV and load(). What a mess.

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua 5.3, _ENV and load(). What a mess.
From: Roberto Ierusalimschy <roberto@...>
Date: Sat, 28 Mar 2015 13:18:27 -0300

> In fact, this behavior makes it HARDER to sandbox untrusted functions,
> though Roberto would no doubt point out that you cannot trust bytecode
> anyway, and should only load Lua text, which will have a correctly
> wired “main” chunk function.

I will point out another thing. There is a difference between sandboxing
a function and sandboxing a chunk. A function can access the environment
through *any* of its upvalues; there is nothing special about _ENV.

  local g, m = _G, math
  function untrusted ()
    for k in pairs(m) do m[k] = nil end
    for k in pairs(g) do g[k] = nil end
  end

So, if you want to call an untrusted function, you should check all
its upvalues, not only _ENV or the first one.

A chunk, on the other hand, is loaded with no upvales, except the first
one (if you did not take care of it). Changing that first upvalue to nil
will ensure that the resulting function has no external access, no matter
whether that first one was _ENV or not. Again, there is nothing special
about _ENV.

So, our view is: we do not want to treat _ENV in a special way because
really there is nothing special about it.

-- Roberto

Follow-Ups:
- Re: Lua 5.3, _ENV and load(). What a mess., Jay Carlson

References:
- Lua 5.3, _ENV and load(). What a mess., Sean Conner
- Re: Lua 5.3, _ENV and load(). What a mess., Dirk Laurie
- Re: Lua 5.3, _ENV and load(). What a mess., Tim Hill

Prev by Date: Re: OT: Gmail flagging lua-l messages as spam
Next by Date: Fw: Lua Script Size -- and LoadString error
Previous by thread: Re: Lua 5.3, _ENV and load(). What a mess.
Next by thread: Re: Lua 5.3, _ENV and load(). What a mess.
Index(es):
- Date
- Thread