Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Due to spam on this forum, all posts now need moderator approval.
Entire forum
➜ MUSHclient
➜ General
➜ Global Preferences - Lua sandbox DLL checkbox
|
Global Preferences - Lua sandbox DLL checkbox
|
It is now over 60 days since the last post. This thread is closed.
Refresh page
| Posted by
| Twisol
USA (2,257 posts) Bio
|
| Date
| Sat 17 Oct 2009 02:09 AM (UTC) |
| Message
| What exactly does the "Allow DLLs to be loaded" checkbox do? I don't see much difference between checking and unchecking it; no matter what state it's in, I still need to trust my world (as well as plugin if I'm in one of those) to use loadlib().
While I'm on this topic, it seems to me like Lua is the only language limited from loading DLLs by default. Is that correct? |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | | Top |
|
| Posted by
| Nick Gammon
Australia (23,173 posts) Bio
Forum Administrator |
| Date
| Reply #1 on Sat 17 Oct 2009 02:26 AM (UTC) |
| Message
| If that is not checked, after MUSHclient loads Lua, it sets package.loadlib to be nil, so you can't use it to load DLLs.
It also sets:
package.loaders [3] = nil -- disable DLL loader
package.loaders [4] = nil -- disable all-in-one loader
These are used by the "require" function. See:
http://www.gammon.com.au/scripts/doc.php?lua=package.loaders
The overall intention was to stop malicious use of DLLs without user authorization.
I can't speak for how secure all the other languages are, my intention was not to open gaping security holes by allowing things like io (which could delete or open files), or DLLs (which could be used to load arbitrary code) without at least some user knowledge or intervention.
You know how Microsoft has been sledged over the years for making an insecure product? In many ways, this insecurity comes about because they tried to make it easy for the end-user, so they didn't put too many restrictions into their products. Of course, those insecurities ended up being exploited, with the end-result that we now have worms, viruses, trojans, and everything else under the sun lurking in Windows computers. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | | Top |
|
| Posted by
| Twisol
USA (2,257 posts) Bio
|
| Date
| Reply #2 on Sat 17 Oct 2009 02:53 AM (UTC) Amended on Sat 17 Oct 2009 03:00 AM (UTC) by Twisol
|
| Message
| After fiddling with it a bit more, it looks like no matter what the 'trusted' status of a plugin or world is, the checkbox controls the usability of the bits you mentioned above. Guess that's what it does. *laughs* My initial experimenting wasn't extensive enough it seems.
Less on topic: I completely agree on the security issues. It just seems to me like it's more difficult than warranted to load external libraries. I think a better interface, like a Triggers/Aliases-esque list, might make it easier on users, while still ensuring they know what they're getting into... EDIT: i.e. you could add entries for the worlds/plugins that should be given various degrees of access, and specifically trusted plugins should not be dependent on their world also being trusted. |
'Soludra' on Achaea
Blog: http://jonathan.com/
GitHub: http://github.com/Twisol | | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
9,929 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
![[Go to top]](/images/gototop.gif)
top