monotone-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] Securing Lua


From: Alex Queiroz
Subject: [Monotone-devel] Securing Lua
Date: Mon, 28 Nov 2005 09:19:19 -0300

Hallo,

     Regarding the concern about some dangerous functions in the Lua
library, it's not necessary to have a custom Lua distribution to
disable them. All one has to do is to set the functions to nil right
after the library initialisation in lua.cc:

  luaopen_base(st);
  luaopen_io(st);
  luaopen_string(st);
  luaopen_math(st);
  luaopen_table(st);
  luaopen_debug(st);

  // disabling os.execute
  lua_pushstring(st, "os");
  lua_gettable(st, LUA_GLOBALSINDEX);
  lua_pushstring(st, "execute");
  lua_pushnil(st);
  lua_settable(st, -3);
  lua_pop(st, 1);

     And after this the os.execute() function will be garbage collected.

--
-alex
http://www.ventonegro.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]