Topic on Extension talk:Scribunto

Suggestion: Whitelist debug.getinfo and debug.getlocal

5
197.218.90.60 (talkcontribs)

Use case:

Providing fine grained tracing, traceback and debugging of functions, and local variables.

Example:

https://wiki.garrysmod.com/page/debug/getinfo

https://wiki.garrysmod.com/page/debug/getlocal

Are these really blocked for security reasons?

In the past on another platform (not mediawiki but "ptokax"), I've used debug.getinfo to pinpoint errors and debug very long and badly documented Lua scripts sometimes using a builtin console in the program. This is really invaluable for evaluating very complex scripts and quickly pinpointing the exact function, parameters (and their values) that caused the errors.

In fact, in ptokax ( a Direct Connect tool) we used it on a lot of functions due to the "live" nature of the scripts, and to catch real "run time" errors which were then logged onto the actual hard disk. Logging errors is unnecessary in Mediawiki, but using the console to find out possible errors is still very useful.

I know the norm is to request a feature in Phabricator, but considering that this was deliberately removed due to security considerations, this seems to be a better venue to discuss the merits or lack thereof of these two debugging tools.

Anomie (talkcontribs)

The danger in these functions is that they allow access to any level in the call stack, including levels that are outside of the module's sandbox.

It might be possible to write wrappers that check for escaping the sandbox, depending on just what it does with respect to C functions, but it seems unlikely to be worth the effort.

197.218.89.52 (talkcontribs)
197.218.89.52 (talkcontribs)

I tried this hack(http://stackoverflow.com/a/3300235):

local function myerrhandler ( errobj )
    print(debug.traceback())
    for k,v in pairs(_G) do print("GLOBAL:" , k,v) end
    return false
end

xpcall( function ()
--Your code here
end , myerrhandler )

It fetched everything except the local variables, maybe I'm missing something obvious.

197.218.90.4 (talkcontribs)
Reply to "Suggestion: Whitelist debug.getinfo and debug.getlocal"