Securing Lua, Openlibs Oddity
Comments Off Lua is a very nifty scripting language embedded into many applications: World of Warcraft being my favorite. And a common way to embed Lua into a program is to open it up, load all of Lua’s standard libraries and then execute the intended script:
lua_State *l;
l = lua_open();
luaL_openlibs(l);
luaL_dofile(l, “SOME_LUA_SCRIPT”);
lua_close(l);
However, opening all the standard libraries exposes dangerous methods that can be maliciously used by a script. For example, A World of Warcraft plugin could be written to trash your entire harddrive if all of Lua’s standard libraries were loaded. Instead, Lua has the ability to load its libraries individually, thus being able to exclude libraries that leave holes to the operating system:
Read the rest of this entry