[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: lua table marshaler
- From: Paul Swanson <pswanson@...>
- Date: Fri, 14 Dec 2001 14:49:02 -0800 (PST)
Greetings all you Lua buffs,
I've been using functions to marshal and unmarshal a Lua table over a
line-oriented ascii protocol, and they work well. This post was
originally in response to the "floating point vs. integer" arguments,
since I believe I've experienced tostring(5) -> 4.999999 or something
similar, but of course after actually hunting for the test-case that
produces it, I can't find it.
So instead, I'm posting my marshaling code for review by better Lua coders
than I, which is something I've been wanting to do for awhile. I have one
major concern (though I'm interested in any suggestions for cleaning up
or simplifying the code), which is this:
(before I get any further into the problem, here's a link to the source.
Please, ask me first if you want to use this code in your own
application. http://www.meat.net/~pswanson/marshal.lua)
The marshalTable() function returns a string which is almost directly
parseable by dostring (look at unmarshalTable to see how it works; the
outermost braces have been omitted for brevity). I believe that using
dostring() directly is a security hole, though I haven't come up with an
explicit "exploit". Short of building a hand-parser, can I make the
unmarshalTable function safe? Possibilities:
- using a separate lua_State with no external functions to parse the
table; but then how do I transfer the table to the main lua_State?
- setting globals() temporarily to an empty table, with set/get tags to
generate an error;
- using an internal lua C function.
Note that the marshaled table really shouldn't have anything but string
and number constants in it, but _any_ string/number index or value should
be marshaled correctly.
Thanks for any help or ideas you might have,
Paul Swanson
