Love security flaw

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
User avatar
Taehl
Dreaming in associative arrays
Posts: 1024
Joined: Mon Jan 11, 2010 5:07 am
Location: CA, USA
Contact:

Love security flaw

Post by Taehl » Tue Feb 22, 2011 5:29 am

I was checking out the Lua documentation, and noticed a little function called io.popen. What it does is execute a specified program. I checked, and io.popen is available in Love 0.7. I think it should be blocked - Love games have no need to execute other programs. Amongst other uses, someone could make a Love game which contains a malicious binary as a string, which writes it to a file and then executes it.
Earliest Love2D supporter who can't Love anymore. Let me disable pixel shaders if I don't use them, dammit!
Lenovo Thinkpad X60 Tablet, built like a tank. But not fancy enough for Love2D 0.10.0+.

User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: Love security flaw

Post by Robin » Tue Feb 22, 2011 6:18 am

There was heavy opposition when some people (including me) suggested that LÖVE should be sandboxed.

SELÖVE is my fork of LÖVE that does exactly that --- it hasn't been updated for a while though.
Help us help you: attach a .love.

User avatar
Taehl
Dreaming in associative arrays
Posts: 1024
Joined: Mon Jan 11, 2010 5:07 am
Location: CA, USA
Contact:

Re: Love security flaw

Post by Taehl » Tue Feb 22, 2011 6:45 am

Couldn't the Lua statement io.popen=nil simply be run before main.lua is opened?
Earliest Love2D supporter who can't Love anymore. Let me disable pixel shaders if I don't use them, dammit!
Lenovo Thinkpad X60 Tablet, built like a tank. But not fancy enough for Love2D 0.10.0+.

User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: Love security flaw

Post by Robin » Tue Feb 22, 2011 9:49 am

Taehl wrote:Couldn't the Lua statement io.popen=nil simply be run before main.lua is opened?
That is in essence what SELÖVE does (among other things). People thought it was needlessly limiting their right to fuck up other people's computers or something, that's why it's not in vanilla LÖVE.
Help us help you: attach a .love.

User avatar
nevon
Commander of the Circuloids
Posts: 938
Joined: Thu Feb 14, 2008 8:25 pm
Location: Stockholm, Sweden
Contact:

Re: Love security flaw

Post by nevon » Tue Feb 22, 2011 10:03 am

I've actually been using that to open the user's default web browser when they click on a "link". Could be used for credits, but it could also be used if people need to register on some website to be able to play the game.

I do see how it's a security risk, but honestly, if the user is running your software you can do malicious shit even if io.popen is disabled.

User avatar
miko
Party member
Posts: 409
Joined: Fri Nov 26, 2010 2:25 pm
Location: PL

Re: Love security flaw

Post by miko » Tue Feb 22, 2011 10:36 am

Taehl wrote:I was checking out the Lua documentation, and noticed a little function called io.popen. What it does is execute a specified program. I checked, and io.popen is available in Love 0.7. I think it should be blocked - Love games have no need to execute other programs. Amongst other uses, someone could make a Love game which contains a malicious binary as a string, which writes it to a file and then executes it.
I see love2d not only as a game platform (which it originally is), but also as a useful environment where you can run small applications and utilities which are good looking, multiplatform and fun. As a linux user, I am able to create the execucatble for windows users without touching any windows system - which is really great. So if you need to block it, just do it in your game, but please do not do it for the whole platform.
My lovely code lives at GitHub: http://github.com/miko/Love2d-samples

User avatar
Taehl
Dreaming in associative arrays
Posts: 1024
Joined: Mon Jan 11, 2010 5:07 am
Location: CA, USA
Contact:

Re: Love security flaw

Post by Taehl » Tue Feb 22, 2011 6:23 pm

miko wrote:So if you need to block it, just do it in your game, but please do not do it for the whole platform.
... That makes no sense. How is it any safer to politely ask an attacker to disable it?
Earliest Love2D supporter who can't Love anymore. Let me disable pixel shaders if I don't use them, dammit!
Lenovo Thinkpad X60 Tablet, built like a tank. But not fancy enough for Love2D 0.10.0+.

User avatar
nevon
Commander of the Circuloids
Posts: 938
Joined: Thu Feb 14, 2008 8:25 pm
Location: Stockholm, Sweden
Contact:

Re: Love security flaw

Post by nevon » Tue Feb 22, 2011 6:30 pm

Taehl wrote:
miko wrote:So if you need to block it, just do it in your game, but please do not do it for the whole platform.
... That makes no sense. How is it any safer to politely ask an attacker to disable it?
Isn't the best solution to have the user not be an idiot and only run applications they trust? I really see it as a hindrance to throw in a bunch of artificial limitations that may prevent some "attacks" (though the attacker can just use another method), while definitely preventing lovers from doing legitimate, cool stuff.

User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: Love security flaw

Post by Robin » Tue Feb 22, 2011 7:00 pm

I rest my case.
Help us help you: attach a .love.

User avatar
tentus
Inner party member
Posts: 1060
Joined: Sun Oct 31, 2010 7:56 pm
Location: Appalachia
Contact:

Re: Love security flaw

Post by tentus » Tue Feb 22, 2011 7:03 pm

Now that Nevon has made his case, I'd say I'm swayed. I can easily imagine a malicious individual working around any limitations we try and put up, and it what Robin is suggesting is a feature removal, plain and simple. Shouldn't we be trying to expand what Love can do, not pare it down?
Kurosuke needs beta testers

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 5 guests