Chuck Adams on Thu, 28 Dec 2006 12:58:32 -0700 (MST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [s-d] dice server enhancements, part 2

On 12/28/06, Joel Uckelman <uckelman@xxxxxxxxx> wrote:
> I'd originally thought about using Perl to do the parsing and execution,
> but I couldn't convince myself that it would be possible to sanitize
> the code to make sure that users weren't finding a sneaky way to call
> system().

Perl has taint, which would prevent that from happening.  Ruby has
security levels which is taint on steroids.  Python has pretty much
zip for sandboxing now.  All three are pretty heavy anyway.  PHP has
... *chuckle* ... let's not imagine it has security.  But Lua's small
and simple enough that it's actually encouraged to just compile your
own interpreter with all the bits you don't want removed.  I would
really recommend it in this case.

spoon-discuss mailing list