Is there anyway to avoid this security issue in Lua?

I was just working on a localizable Lua string solution, when I came up with this hack, problem is I don't know how to avoid getting hacked by it :) So I was wondering if anyone, has done something similar and or knows how to protect from this kind of attack. (in user code)

Since we can do this:

=("foo"):upper() -->output: FOO

It can be hacked like this:

getmetatable("foo").__index.upper = function() print("bye bye sucker");os.exit() end
=("foo"):upper() -->output: bye bye sucker (application quits)
-- or this way
=string.upper("bar") -->output: bye bye sucker (application quits)

Any ideas?

Answers


First and foremost execute untrusted code in sandboxed environment only – as it was said by other posters. Except for loading bytecode chunks, Lua allows all other sandboxing issues to be covered. (And bytecode chunk problems get fixed promptly as discovered.)

See Lua Live Demo for an example of sandboxing. Sources are available here.

Your specific problem with metatables is solved by setting a __metatable field:

If you set a __metatable field in the metatable, getmetatable will return the value of this field, whereas setmetatable will raise an error.

– Roberto Ierusalimschy, Programming in Lua 1st edition, 13.3 - Library-Defined Metamethods

For example:

> mt = { __metatable = true }                                                   
> t = {}
> setmetatable(t, mt)
> setmetatable(t, mt)
stdin:1: cannot change a protected metatable
stack traceback:
 [C]: in function 'setmetatable'
 stdin:1: in main chunk
 [C]: ?

So, all you have to do is:

getmetatable("").__metatable = true

Need Your Help

How does this drop-down have the ^ shown?

css css3

I just found a nice script you can see it over here

Set custom fonts in strings

android fonts android-xml android-fonts

I have a custom fonts BebasNeue.otf which i want to set in the strings variables. I have searched a lot but did not get any solution.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.