popen blocked by other sandboxes

[chruss2]

I ran across a bug in the Lua sandbox when two inputs in Hindsight are using io.popen. They aren't sandboxed well enough. In the example below, Input 2 waiting for data prevents Input 1 from running properly.

Input 1:

require "io"
function process_message()
  -- Heavy initialization that takes some time to load.
  -- For demo purposes, I'll just sleep so that some time goes by.
  fh = io.popen("sleep 1", "r")
  fh:close()
  -- Now the actual popen call. It should run right away, but instead hangs
  -- until Input 2 gets out of its lines() iterator.
  fh = io.popen("echo I got here on `date` > /tmp/status", "r")
end

Input 2:

require "io"
function process_message()
  fh = io.popen("while true; do sleep 86400; echo One per day; done", "r")
  for line in fh:lines() do
    -- process and inject messages here
  end
end

The cause of this is lua_popen (a macro in include/luasandbox/luaconf.h) which calls fflush(NULL) before calling popen. The popen(3) man page does recommend doing this to avoid garbled input or output, but it is harmful in the case of multiple sandboxes and threads.

[trink]

Yes there are known issues with popen in the sandbox see: mozilla-services/hindsight#35