On 7 August 2010 02:01, Erik Cassel wrote:
> While investigating a security breach in some of our sandbox code I came
> upon the undocumented "newproxy" feature. From a security point of view
> seems scary because it allows you to somehow play with metamethods of
> userdata objects.
It only allows you to play with the metamethods of userdata you
create, you can't setmetatable() on a userdata returned by newproxy,
only clone existing proxies. Still yes, it's not a function I'd expect
to see in a sandbox.
> Are there any other "undocumented" surprises in Lua?
If newproxy() was in your sandbox (especially without your knowledge)
then it wasn't a very good sandbox. To make a sandbox you should start
with an empty environment and pull in only functions you know to be
safe. In fact there's a good guide on sandboxing on the wiki,
including listing safe/unsafe standard functions:
> Yes, people use newproxy in clever ways and I'm sure they rely on it. So
> please do one of the following:
> 1) Make it an official part of the language
> 2) Put it in the documentation as an unsupported feature
> 3) Turn it off by default. Allow it to be enabled in luaconf.h
> I think option 3 is the best one. If something isn't documented then most
> people won't use it, so it just bloats the code. Turn it off by default
> then let people opt into it.
I agree with any of those, though I favour 3 least. If going that far
however then I'd say just remove it completely - it's not hard to make
a C module that exports a newproxy() function if you need it, easier
than rebuilding Lua for most people.