ardupilot/libraries/AP_Scripting/lua
Thomas Watson dc4d1bacdd AP_Scripting: adjust string metatable setup to fix sandbox integrity
In Lua, strings are the only type that come with a default metatable.
The metatable must be shared by all string objects, and it is set to be
the `string` library table each time that library is opened. In
Ardupilot's scripting engine, the last script to load then has access to
the string metatable as the library is opened fresh for each script, as
its `string` library will have been set to the metatable.

Therefore, if two scripts are loaded, A first and B second, and script B
executes e.g. `string.byte = "haha"`, then `string.byte()` and
`s:byte()` for script B are broken. Because the metatable is shared,
this also breaks `s:byte()` for script A, which violates the integrity
of the sandbox.

Fix the issue by disabling the metatable setup functionality when the
string libary is opened, then manually opening an additional copy of the
library (which won't be given to any script) and setting it as the
string metatable during intialization.

This will break any script that modifies the string metatable for
constructive purposes, but such a script could have been broken if it
weren't the only script running anyway.
2024-07-30 10:54:00 +10:00
..
doc
src AP_Scripting: adjust string metatable setup to fix sandbox integrity 2024-07-30 10:54:00 +10:00
Makefile
README

README

This is Lua 5.3.5, released on 26 Jun 2018.

For installation instructions, license details, and
further information about Lua, see doc/readme.html.