
Malicious LuaJIT bytecode - cbetz
http://www.corsix.org/content/malicious-luajit-bytecode
======
buserror
I'm a big fan and user of Luajit, and as much as I understand the problem of
'trusting' loading files around, in the case of LuaJIT anyone using the API
would be /crazy bonkers/ to load code from anywhere else than a very specific,
very closed source base.

Luajit has FFI, that allows you you to call back into any C code, libraries,
structure and so forth, so by definition you KNOW the LUA you run in LuaJIT is
not 'safe scripting' but more or less part of the running process, with no
barrier (and thats part of the beauty of it).

The good news is, you 1) can't easily load lua files in LuaJit and 2) can make
your own 'loader' in your LuaJIT application that can match a hash for
anything you load, before it's loaded - it's fairly trivial in fact.

So that article could be replaced by search/replacing with something like 'if
you load a dynamic library in C and dybload() a symbol and call it, it CAN BE
NASTY!' well yeah, it can. Don't trust external code, otherwise someone will
make a clickbait out of you :-)

~~~
kayamon
The FFI does not make LuaJIT unsafe. If you want safe code, you simply run the
code in a sandboxed environment which does not include the FFI library.

> you can't easily load lua files in LuaJit

Yes you can, it has the same scripting interface as stock Lua.

