General Minetest + Lua Questions (Sandboxing, Modules, ...)

prestidigitator
Member
 
Posts: 640
Joined: Thu Feb 21, 2013 23:54

General Minetest + Lua Questions (Sandboxing, Modules, ...)

by prestidigitator » Mon Feb 25, 2013 21:26

1.) I make it a habit to search for Lua standard library calls in mods' source code before loading them, and inspect very carefully use of any that might be dangerous (e.g. "dofile", "io.open", "os.*", etc.). In order to ease our minds a little about potentially malicious mods, has any sandboxing been done to mods' Lua environments (e.g. limiting use of system calls and limiting "dofile()" calls to the Minetest directory tree(s))? For an example of what I mean, see http://lua-users.org/wiki/SandBoxes

2.) Is there a reason that "dofile()" is used consistently throughout the game's Lua code and the source code of mods, instead of "module/require"? Has any effort been done to support actual Lua modules (i.e. module search paths and/or custom loading)? (See http://www.lua.org/manual/5.1/manual.html#pdf-module, http://www.lua.org/manual/5.1/manual.html#pdf-require, and http://lua-users.org/wiki/ModulesTutorial)

(EDIT: Okay, nevermind about "module", but the question stands about "require". See http://lua-users.org/wiki/LuaModuleFunctionCritiqued)
Last edited by prestidigitator on Mon Feb 25, 2013 23:13, edited 1 time in total.
 

User avatar
rubenwardy
Moderator
 
Posts: 5965
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

by rubenwardy » Tue Feb 26, 2013 13:19

Sapier's pull requests on GitHub would be useful for this topic.
 


Return to WIP Mods



Who is online

Users browsing this forum: No registered users and 7 guests