lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Greetings all you Lua buffs,

I've been using functions to marshal and unmarshal a Lua table over a
line-oriented ascii protocol, and they work well.  This post was
originally in response to the "floating point vs. integer" arguments,
since I believe I've experienced tostring(5) -> 4.999999 or something
similar, but of course after actually hunting for the test-case that
produces it, I can't find it.

So instead, I'm posting my marshaling code for review by better Lua coders
than I, which is something I've been wanting to do for awhile.  I have one
major concern (though I'm interested in any suggestions for cleaning up
or simplifying the code), which is this:

(before I get any further into the problem, here's a link to the source.
Please, ask me first if you want to use this code in your own
application.  http://www.meat.net/~pswanson/marshal.lua)

The marshalTable() function returns a string which is almost directly
parseable by dostring (look at unmarshalTable to see how it works; the
outermost braces have been omitted for brevity).  I believe that using
dostring() directly is a security hole, though I haven't come up with an
explicit "exploit".  Short of building a hand-parser, can I make the
unmarshalTable function safe?  Possibilities:

- using a separate lua_State with no external functions to parse the
table; but then how do I transfer the table to the main lua_State?
- setting globals() temporarily to an empty table, with set/get tags to
generate an error;
- using an internal lua C function.

Note that the marshaled table really shouldn't have anything but string
and number constants in it, but _any_ string/number index or value should
be marshaled correctly.

Thanks for any help or ideas you might have,
Paul Swanson