Re: [ANN] Simple Luajit Sandbox
- From: Hendrik Polczynski <hendrikpolczyn@xxxxxxxxx>
- To: luajit@xxxxxxxxxxxxx
- Date: Wed, 17 Dec 2014 16:18:39 +0100
Why not spawn a new lua state inside a OS-thread and then you can monitor
the thread and
terminate it externally if it is abnormal.
Only problem would be limiting the number of spawned threads and cleaning
up memory
after termination of the thread.
I think though to have read that the close of the lua state can be called
in any condition of the
state (even after errors or panics), so it should clean up the memory. (at
least when using normal Lua)
2014-12-17 16:09 GMT+01:00 steve donovan <steve.j.donovan@xxxxxxxxx>:
>
> On Wed, Dec 17, 2014 at 5:03 PM, Meae Flowright <scratchnloved@xxxxxxxxx>
> wrote:
> > By not passing default string operators, most of which aren't safe, to
> the
> > environment. The sandbox overloads the string type metatable with the
> > environment's string table if provided, otherwise it uses an empty table.
>
> That's the sensible thing to do (e.g Penlight's pretty.load has a
> paranoid option)
>
> Roberto pointed out that one can still cause mayhem with simple string
> concatenation:
> L = "lol"
> L = L..L..L..L..L..L..L
> L = L..L..L..L..L..L..L
> L = L..L..L..L..L..L..L
> ....
>
> What kinds of space/time contraints can you impose on the running scripts?
>
>
Other related posts:
