sandbox: no popen

Again, too difficult to sandbox for now.

README.md

@@ -131,6 +131,7 @@ libraries. However, a few things are different from conventional Lua:
 * Some functions are disabled because I don't know how to sandbox them
   effectively:
   - `os.execute`
+  - `io.popen`
 * Some functions in lcurses have [additional smarts](https://github.com/lcurses/lcurses/blob/master/lib/curses.lua).
   Teliva is [consistent with the underlying ncurses](https://github.com/akkartik/teliva/blob/main/src/lcurses/curses.lua).
 

sandboxing/README.md

@@ -33,7 +33,7 @@ Scenarios:
       allows an app to do anything. Educate people to separate apps that read
       sensitive data from apps that access remote servers.
     - (2) solution: map phases within an app to distinct permission sets
-  * (3) app wants access to system() or exec()
+  * (3) app wants access to system() or exec() or popen()
 
 Difficulty levels
   1. I have some sense of how to enforce this.

src/liolib.c

@@ -102,17 +102,6 @@ static int io_noclose (lua_State *L) {
 }
 
 
-/*
-** function to close 'popen' files
-*/
-static int io_pclose (lua_State *L) {
-  FILE **p = tofilep(L);
-  int ok = lua_pclose(L, *p);
-  *p = NULL;
-  return pushresult(L, ok, NULL);
-}
-
-
 /*
 ** function to close regular files
 */
@@ -167,19 +156,6 @@ static int io_open (lua_State *L) {
 }
 
 
-/*
-** this function has a separated environment, which defines the
-** correct __close for 'popen' files
-*/
-static int io_popen (lua_State *L) {
-  const char *filename = luaL_checkstring(L, 1);
-  const char *mode = luaL_optstring(L, 2, "r");
-  FILE **pf = newfile(L);
-  *pf = lua_popen(L, filename, mode);
-  return (*pf == NULL) ? pushresult(L, 0, filename) : 1;
-}
-
-
 static int io_tmpfile (lua_State *L) {
   FILE **pf = newfile(L);
   *pf = tmpfile();
@@ -484,7 +460,7 @@ static const luaL_Reg iolib[] = {
   {"lines", io_lines},
   {"open", io_open},
   {"output", io_output},
-  {"popen", io_popen},
+  /* no popen without sandboxing it */
   {"read", io_read},
   {"tmpfile", io_tmpfile},
   {"type", io_type},
@@ -547,10 +523,6 @@ LUALIB_API int luaopen_io (lua_State *L) {
   createstdfile(L, stdout, IO_OUTPUT, "stdout");
   createstdfile(L, stderr, 0, "stderr");
   lua_pop(L, 1);  /* pop environment for default files */
-  lua_getfield(L, -1, "popen");
-  newfenv(L, io_pclose);  /* create environment for 'popen' */
-  lua_setfenv(L, -2);  /* set fenv for 'popen' */
-  lua_pop(L, 1);  /* pop 'popen' */
   return 1;
 }
 

src/luaconf.h

@@ -620,34 +620,6 @@ extern int mkstemp(char *);
 #endif
 
 
-/*
-@@ lua_popen spawns a new process connected to the current one through
-@* the file streams.
-** CHANGE it if you have a way to implement it in your system.
-*/
-#if defined(LUA_USE_POPEN)
-
-/* we have newer libraries even though the dialect is C99 */
-#include <stdio.h>
-extern FILE *popen(const char *, const char *);
-extern int pclose(FILE *);
-
-#define lua_popen(L,c,m)	((void)L, fflush(NULL), popen(c,m))
-#define lua_pclose(L,file)	((void)L, (pclose(file) != -1))
-
-#elif defined(LUA_WIN)
-
-#define lua_popen(L,c,m)	((void)L, _popen(c,m))
-#define lua_pclose(L,file)	((void)L, (_pclose(file) != -1))
-
-#else
-
-#define lua_popen(L,c,m)	((void)((void)c, m),  \
-		luaL_error(L, LUA_QL("popen") " not supported"), (FILE*)0)
-#define lua_pclose(L,file)		((void)((void)L, file), 0)
-
-#endif
-
 /*
 @@ LUA_DL_* define which dynamic-library system Lua should use.
 ** CHANGE here if Lua has problems choosing the appropriate