jcokeinfinity
CYA
Hello everyone, I think it has been over a year since I've posted, but since I've got on last I've went and learned several programming languages, one of them Lua, but I'm not here to tell you about my hobbies, but the announcement on www.srb2.org about implementing Lua into the scripting system caught my eye. Even though this is a major step in the right direction, I am curious about how code coming into the game is sandboxed. Now keep in mind that I know Lua, but am not familiar with the C API, so I am writing this from a strictly Lua standpoint.
So here's my point: People seem to forget that Lua is not only a customizing game script, it is a full fledged programming language. So I am wondering what is going to keep code coming in from a SRB2 server from executing os.execute() and crashing my computer.
C WAY TO FIX THIS
jk, I don't know anything about the C API
Lua WAY TO FIX THIS
Lua has the ability to sandbox itself, since everything is an anonymous value, you can change a function to a new one. To demonstrate
os.execute = function() do end end
this deactivates the os.execute() function
this should be done with assert, the os functions, etc.
Sonic Team Junior probably have already straightened this out, but I thought I should just bring it to everyones attention.
So here's my point: People seem to forget that Lua is not only a customizing game script, it is a full fledged programming language. So I am wondering what is going to keep code coming in from a SRB2 server from executing os.execute() and crashing my computer.
C WAY TO FIX THIS
jk, I don't know anything about the C API
Lua WAY TO FIX THIS
Lua has the ability to sandbox itself, since everything is an anonymous value, you can change a function to a new one. To demonstrate
os.execute = function() do end end
this deactivates the os.execute() function
this should be done with assert, the os functions, etc.
Sonic Team Junior probably have already straightened this out, but I thought I should just bring it to everyones attention.