userdata

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

userdata

Jim Mathies-2
Hello all,

curious about something related to userdata.  based on my
understanding of these, they are simply void* pointers
to c memory data.  Wouldn't this be considered unsafe
security wise if Lua was running as a 'Java like' vm?

Regards,
Jim Mathies


Reply | Threaded
Open this post in threaded view
|

RE: userdata

Ashley Fryer-2
> From: Jim Mathies
>
> curious about something related to userdata.  based on my
> understanding of these, they are simply void* pointers
> to c memory data.  Wouldn't this be considered unsafe
> security wise if Lua was running as a 'Java like' vm?

Userdata isn't a security risk for 2 reasons:

First, there's no built-in way for Lua to dereference a pointer.  So,
there's no way for a malicious script to read or write the memory that a
void* might point to.

Second, although userdata is a void*, it doesn't necessarily point to
anything valid ( this is up to you ).  For example, from C you could:

  int my_age = 42;
  lua_pushuserdata( (void*) my_age )

This might be a perfectly useful and valid thing to do with userdata, but it
has nothing to do with a specific memory location.

Given the above, keep in mind that lua is primarily an extension language.
You can certainly write dangerous C extensions to lua which could change
memory, make system calls, etc.  Core lua is secure, but what you build on
top of it is another matter.  For example, if you're worried about security
you shouldn't include the standard I/O library in your product.

Regards,
ashley