Safe config file using Lua

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Safe config file using Lua

jose marin2
Hi.

I would like to use Lua to manage config files fo my game, but the problem is how to restrict the functions the user may call in this file, to avoid hacking my game.

For example, on the config file this could be legal:

ActionKey = K_ENTER
SetResolution(800, 600)

But this not:

ResourcePath = "c:/myres"
SetPlayerMaxHealth(10000)

The user could use "ActionKey " and "SetResolution", but not "ResourcePath " or "SetPlayerMaxHealth".


Thanks for any tip.


Jose


      Flickr agora em português. Você cria, todo mundo vê.
http://www.flickr.com.br/


Reply | Threaded
Open this post in threaded view
|

Re: Safe config file using Lua

Romulo Bahiense
Jose Marin wrote:
Hi.

I would like to use Lua to manage config files fo my game, but the problem is how to restrict the functions the user may call in this file, to avoid hacking my game.

For example, on the config file this could be legal:

ActionKey = K_ENTER
SetResolution(800, 600)

But this not:

ResourcePath = "c:/myres"
SetPlayerMaxHealth(10000)

The user could use "ActionKey " and "SetResolution", but not "ResourcePath " or "SetPlayerMaxHealth".


Thanks for any tip.


Jose


      Flickr agora em português. Você cria, todo mundo vê.
http://www.flickr.com.br/



Search for "sandbox[ing]"



Reply | Threaded
Open this post in threaded view
|

Re: Safe config file using Lua

Irayo
In reply to this post by jose marin2
Jose Marin wrote:
But this not:

ResourcePath = "c:/myres"
SetPlayerMaxHealth(10000)

The user could use "ActionKey " and "SetResolution", but not "ResourcePath " or "SetPlayerMaxHealth".

Jose,

You could just make a new Lua instance and not push the functions "SetResolution" and "ResourcePath" to it, or you could set those functions to nil before calling the config script and restore them afterward, or (most preferably) set the environment to a blank or limited one before loading the config file. See the Lua reference for "lua_setfenv" for more information on the latter option.

The most obvious option is the last one: creating a limited environment (see setfenv and stuff) and just loading the config file in that environment. This is called sandboxing.

Then again, if your game is coded in Lua, why wouldn't someone just modify the *other* Lua files (which the game "trusts") and change what they wanted to change? Furthermore, if you load the game data files after the config file, this shouldn't matter, because anything that the config file set (like MaxPlayerHealth) would be overwritten by the game files.

--
Irayo