Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Due to spam on this forum, all posts now need moderator approval.
Entire forum
➜ MUSHclient
➜ Lua
➜ Sandbox
It is now over 60 days since the last post. This thread is closed.
Refresh page
Posted by
| Nick Gammon
Australia (23,133 posts) Bio
Forum Administrator |
Date
| Wed 24 Nov 2004 09:19 AM (UTC) |
Message
| A problem with all scripting languages is to make them powerful enough to be useful, but not too powerful that they could be abused by malicious scripts.
Lua has a nice solution to this problem. You can make a Lua "sandbox" by disabling functions that you consider dangerous.
For example, if you don't want people to use the Note function you can do this:
After doing this, although the code for Note still exists (it is inside the MUSHclient executable) you have removed the link from the word "Note" to the code, thus disabling it.
You can be more sophisticated than that, for example disabling a particular word. Here is an example of doing that:
do
local oldnote = Note
Note = function (...)
for k, v in pairs (arg) do
if string.find (v, "turkey") then
error "Invalid note"
end -- if
end -- for
oldnote (unpack (arg))
end -- function
end -- do
If executed, the above code will replace the Note function with one that permanently disables being able to note a string with the word "turkey" in it.
It does this by saving the original Note function into a local variable, and then replacing it with its own version that checks for the word 'turkey', raising an error if found. If not found, it calls the original saved function.
MUSHclient's preliminary code
To help block out dangerous functions, for example:
os.execute "del mushclient.exe"
... MUSHclient has a 'preliminary script' box in its Global Preferences -> Lua section.
This has code that disables some 'dangerous' functions (like 'os') by setting them to nil.
If you are not planning to run untrusted scripts (eg. plugins) then you can edit that code and comment-out any parts you feel comfortable with having available to your scripts.
The code in this box is executed every time the Lua script engine is instantiated, in other words for every world, and every plugin.
There are suggestions in the default script for how you might modify it to block certain plugins (or worlds) but not others, from having access to dangerous commands.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
6,655 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
top