如何在其自己的环境中从C的API执行不受信任的Lua文件 [英] How to execute an untrusted Lua file in its own environment from the C API
问题描述
我想通过调用 lua_setfenv()使执行在自己的环境不受信任的.lua文件时,它不能影响我的任何code的。
I want to execute an untrusted .lua file in its own environment by calling lua_setfenv() so that it cannot affect any of my code.
该函数的文档虽然只解释了如何调用一个函数,而不是如何执行文件。
The documentation for that function though only explains how to call a function, not how to execute a file.
目前运行我用的文件:
int error = luaL_loadfile(mState, path.c_str()) || lua_pcall(mState, 0, 0, 0);
我一定要打电话从C API的dofile处理LUA函数 lua_setfenv ,还是有更优雅的方式做到这一点?
Do I have to call the "dofile" lua function from the C API with lua_setfenv, or is there a more elegant way to do it?
推荐答案
请参阅在Lua的用户对于i = 1,1e39做终端,需要的不仅仅是限制可用的功能的沙箱以上。
See the discussion at the Lua User's Wiki of sandboxing, and the more general topic of script security. There are a number of subtle and not so subtle issues with this kind of thing. It can be done, but protecting against code such as for i=1,1e39 do end requires more than just restricting what functions are available to a sandbox.
一般的方法是对具有在它的功能允许白名单的沙箱创建一个函数环境。在某些情况下,该列表甚至可能是空的,但让用户访问对(),例如,几乎可以肯定是无害的。沙箱页面有其安全性细分为构建这样一个白名单一本方便的系统功能列表。
The general technique is to create a function environment for the sandbox that has a whitelist of permitted functions in it. In some cases, that list might even be empty, but letting the user have access to pairs(), for example, is almost certainly harmless. The sandbox page has a list of the system functions broken down by their safety as a handy reference for constructing such a whitelist.
您再使用 lua_setfenv()应用功能环境,您加载(但尚未执行)用户的脚本 lua_loadfile ()或 lua_loadstring()为宜。随着环境的连接,可以用 lua_pcall()和朋友执行。执行前,竟然有人扫描加载的字节code的操作,他们不希望允许。可用于绝对禁止循环或写入到全局变量
You then use lua_setfenv() to apply the function environment to the user's script which you loaded (but haven't yet executed) with lua_loadfile() or lua_loadstring() as appropriate. With the environment attached, you could execute it with lua_pcall() and friends. Before execution, some people have actually scanned the loaded bytecode for operations that they don't want to permit. That can be used to absolutely forbid loops or writing to global variables.
另外一个值得注意的是,加载功能将一般加载或者precompiled字节code或Lua语言文字。它原来是安全多了,如果你永远不会允许precompiled字节code,因为许多方法可以让虚拟机胡作非为已经确定,所有依赖于手工制作无效字节code。由于字节code文件开头,是不是纯ASCII文本定义良好的字节序列,所有你需要做的是阅读剧本到字符串缓冲区,试验为标记由于缺少,只有把它传递给 lua_loadstring()如果不是字节code。
One other note is that the load functions will generally load either precompiled bytecode or Lua text. It turns out to be a lot safer if you never permit precompiled bytecode, as a number of ways to make the VM misbehave have been identified that all depend on handcrafting invalid bytecode. Since bytecode files begin with a well-defined byte sequence that is not plain ASCII text, all you need to do is read the script into a string buffer, test for the absense of the marker, and only pass it to lua_loadstring() if it is not bytecode.
有已经在的Lua-L邮件列表已经讨论了相当数量多年来这种的事情,所以搜索也有可能是有帮助的。
There has been a fair amount of discussion at the Lua-L mailing list over the years of this kind of thing, so searching there is also likely to be helpful.
这篇关于如何在其自己的环境中从C的API执行不受信任的Lua文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
