Arseny Kapoulkine
GitHub
parent
7935f9f8b6
commit
be0b7d07e2
|
|
@ -19,7 +19,7 @@ The following libraries and global functions have been removed as a result:
|
|||
- `io.` library has been removed entirely, as it gives access to files and allows running processes
|
||||
- `package.` library has been removed entirely, as it gives access to files and allows loading native modules
|
||||
- `os.` library has been cleaned up from file and environment access functions (`execute`, `exit`, etc.). The only supported functions in the library are `clock`, `date`, `difftime` and `time`.
|
||||
- `debug.` library has been removed to a large extent, as it has functions that aren't memory safe and other functions break isolation; the only supported functions are `traceback` ~~and `getinfo` (with reduced functionality)~~.
|
||||
- `debug.` library has been removed to a large extent, as it has functions that aren't memory safe and other functions break isolation; the only supported functions are `traceback` and `info` (which is similar to `debug.getinfo` but has a slightly different interface).
|
||||
- `dofile` and `loadfile` allowed access to file system and have been removed.
|
||||
|
||||
To achieve memory safety, access to function bytecode has been removed. Bytecode is hard to validate and using untrusted bytecode may lead to exploits. Thus, `loadstring` doesn't work with bytecode inputs, and `string.dump`/`load` have been removed as they aren't necessary anymore. When embedding Luau, bytecode should be encrypted/signed to prevent MITM attacks as well, as the VM assumes that the bytecode was generated by the Luau compiler (which never produces invalid/unsafe bytecode).
|
||||
|
|
|
|||
Loading…
Reference in New Issue