[Monotone-devel] Securing Lua

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] Securing Lua

From:	Alex Queiroz
Subject:	[Monotone-devel] Securing Lua
Date:	Mon, 28 Nov 2005 09:19:19 -0300

Hallo,

     Regarding the concern about some dangerous functions in the Lua
library, it's not necessary to have a custom Lua distribution to
disable them. All one has to do is to set the functions to nil right
after the library initialisation in lua.cc:

  luaopen_base(st);
  luaopen_io(st);
  luaopen_string(st);
  luaopen_math(st);
  luaopen_table(st);
  luaopen_debug(st);

  // disabling os.execute
  lua_pushstring(st, "os");
  lua_gettable(st, LUA_GLOBALSINDEX);
  lua_pushstring(st, "execute");
  lua_pushnil(st);
  lua_settable(st, -3);
  lua_pop(st, 1);

     And after this the os.execute() function will be garbage collected.

--
-alex
http://www.ventonegro.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] Securing Lua, Alex Queiroz <=

Prev by Date: [Monotone-devel] Re: [...] need more static version
Next by Date: [Monotone-devel] Re: windows *cough* NT4 support?
Previous by thread: [Monotone-devel] Re: Can't run version 0.23, missing libstdc++.so.6, need more static version
Next by thread: [Monotone-devel] [PATCH] improve db error handling
Index(es):
- Date
- Thread