Update of bug #15624 (project freeciv):
Summary: [RFC] scripting: Sandbox Lua scripts = [RFC]
scripting: Sandbox Lua scripts [Remove unsafe functionality]
___
Reply to this item at:
http://gna.org/bugs/?15624
Update of bug #15624 (project freeciv):
Status: Ready For Test = Fixed
Open/Closed:Open = Closed
___
Reply to this item at:
Follow-up Comment #9, bug #15624 (project freeciv):
The first proposed solution, providing an unbreakable sandbox, is not the
best solution. The problem with the first patch is that tolua exposes all the
userdata types' metatables (as the names of each type), and the script can
then overwrite
Update of bug #15624 (project freeciv):
Status: In Progress = Ready For Test
___
Follow-up Comment #10:
This solution is easy and less complex/less lines of code, which makes it
easy to choose. This
Follow-up Comment #11, bug #15624 (project freeciv):
Testcase Scenario. This Scenario will run a couple of asserts to make sure
none of the Lua 5.1 unsafe functionality is available through their standard
ways. A successful run will not show any lua errors or output at all neither
at scenario
Update of bug #15624 (project freeciv):
Dependency Removed: = patch #1534
___
Reply to this item at:
http://gna.org/bugs/?15624
___
Meddelandet
Follow-up Comment #12, bug #15624 (project freeciv):
A very similar version, but in pure C. The 2.2+trunk version of the patch
has an added compiler warning if the unsafe functions information is not
updated for a new Lua version. The 2.1 patch does not have this, since Lua
5.0 doesn't define a
Follow-up Comment #4, bug #15624 (project freeciv):
Ok, no not really. Feel free to work on this. I will type up documentation
later. What will happen to 2.1? It looks like it is still using Lua 5.0 while
2.2 is using 5.1.
___
Reply to
Follow-up Comment #5, bug #15624 (project freeciv):
Ok, no not really. Feel free to work on this. I will type up documentation
later.
I thought it was ready. It's a big security problem. Maybe documentation
could be done later.
What will happen to 2.1? It looks like it is still using Lua 5.0
Follow-up Comment #6, bug #15624 (project freeciv):
I agree that the security issue is very important. The caveat is that just
because we think it works doesn't mean that it does, security is hard,
especially with a runtime that we don't know so well :-)
Luckily, the lua runtime is very small.
Update of bug #15624 (project freeciv):
Status: Ready For Test = In Progress
Assigned to: pepeto = englabenny
___
Follow-up Comment #7:
I conclude, that I
Follow-up Comment #8, bug #15624 (project freeciv):
Be sure that by saying that security is hard, I don't mean that I can do it
better than you -- on the contrary, if we work together, this will be much
better. What I meant was: don't trust me yet, it's not so easy.
Follow-up Comment #3, bug #15624 (project freeciv):
Will you be able to work on it and commit it in a near futur?
___
Reply to this item at:
http://gna.org/bugs/?15624
___
Message posté
Update of bug #15624 (project freeciv):
Status:None = Ready For Test
Assigned to:None = pepeto
Planned Release: = 2.2.1, 2.3.0
2010/3/17 pepeto no-reply.invalid-addr...@gna.org:
Update of bug #15624 (project freeciv):
Status: None = Ready For Test
Assigned to: None = pepeto
Planned Release: = 2.2.1, 2.3.0
Update of bug #15624 (project freeciv):
Severity: 3 - Normal = 4 - Important
Priority: 1 - Later = 7 - High
Planned Release:2.2.1, 2.3.0 = 2.1.12, 2.2.1, 2.3.0
URL:
http://gna.org/bugs/?15624
Summary: [RFC] scripting: Sandbox Lua scripts
Project: Freeciv
Submitted by: englabenny
Submitted on: söndag 2010-03-14 den 22:40
Category: general
Severity: 3 - Normal
17 matches
Mail list logo