A malicious custom level author can easily break out of the Lua sandbox by using the global environment (_G) that's passed to the level code. Example exploit:
os = _G.require("os")
os.execute("kcalc")
The environment of the script must be white-listed to contain only safe fields.
A malicious custom level author can easily break out of the Lua sandbox by using the global environment (
_G
) that's passed to the level code. Example exploit:The environment of the script must be white-listed to contain only safe fields.