For interested Beta4 testers, could you please verify the following:
Corona 2.0 - Beta4
loadfile() Lua function - and most probably dofile() and loadstring() as well - hang on the device build.
Example:
local myfunc = loadfile(system.pathForFile(“myfile.lua”))() – file is in resources folder, same as main.lua
Works on the simulator but not on the device build.
If there’s any known issue wrt this bug, sorry for reporting twice. [import]uid: 5750 topic_id: 1076 reply_id: 301076[/import]
Its not a bug, its a feature. DoFile is definately not available and I am sure loadfile either. Its for security reasons that Ansca has them removed. [import]uid: 5712 topic_id: 1076 reply_id: 2664[/import]
Well, I have to disagree with security concerns regarding dofile(), loadfile(). Firstly because you are given the full i/o Lua library, which would be much more dangerous than loadfile()…although i/o is now fully functional.
Doing simple lua script inclusion with modules is much, much more unpractical than a simple loadfile().
For demonstration, you could write a Lua chunk in a .txt file, load it using io.read() and execute it using loadstring() - unless they removed loadstring() as well, which would be a shame.
I’d certainly vote for re-inclusion of dofile() and loadfile().
[import]uid: 5750 topic_id: 1076 reply_id: 2674[/import]
We need to document this better. LoadFile and DoFile are disable for security reasons.
Bug tracking # 221
Carlos [import]uid: 24 topic_id: 1076 reply_id: 2676[/import]
Have you tried io.read()? [import]uid: 54 topic_id: 1076 reply_id: 2677[/import]
Hi Eric,
I can’t see the difference from:
[lua]local myfunc = loadstring(io.read(system.pathForFile(“myfile.lua”))) [/lua]
and
[lua]local myfunc = loadfile(system.pathForFile(“myfile.lua”))[/lua]
…what’s the security concern with the latter compared to the former ?
But moreover, anything you can do with loadstring() you can include with modules… what’s the point ?
[import]uid: 5750 topic_id: 1076 reply_id: 2681[/import]
Oh I’m sorry, I totally misunderstood what you were trying to do.
Loading code at runtime is a big nono in the Apple TOS.
[import]uid: 54 topic_id: 1076 reply_id: 2684[/import]
You mean loadstring(io.read()) doesn’t work as well ?
How about modules ? Can’t you require() a module at runtime, maybe downloaded from a website ?
[import]uid: 5750 topic_id: 1076 reply_id: 2688[/import]
You can load them at start time in main.lua. If you require another file in main.lua, that file will be processed and any requires there will be handled at that time.
Once main.lua has been fully processed, all require statements have been processed as well. At that point the runtime actually starts.
So, no, you can’t “during runtime” load any additional code.
This is a big deal for Apple as something as trivial as loadstring would allow arbitrary execution of code which is something which could, unless done extremely carefully, be exploited.
Scott [import]uid: 5659 topic_id: 1076 reply_id: 2695[/import]
Scott is correct – Lua’s “require” works fine in Corona, but “require” is not loading code at runtime, which is forbidden. [import]uid: 3007 topic_id: 1076 reply_id: 2791[/import]
Ok, thanks for your clarifications.
I second Carlos that this should be outlined better in the docs. Maybe with a dedicated chapter, like “Changes to Lua language and standard functions”.
[import]uid: 5750 topic_id: 1076 reply_id: 2793[/import]