Re: Lua 5.1 (beta) now available

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua 5.1 (beta) now available
From: Mike Pall <mikelu-0511@...>
Date: Mon, 21 Nov 2005 16:45:06 +0100

Hi,

Roberto Ierusalimschy wrote:
> Well, there are other "problems", for instance
> a traversal of a table with NaN will also fail, again because
> it will not be able to find that key to continue the traversal.
> But that does not "break" Lua, it is only a strange behavior for a
> strange situation.

Ahemm ... such a behaviour rings all alarm bells in my mind.

If you can trick an application into inserting a NaN key into a
table, you've effectively created a denial of service attack.
Because a subsequent table traversal will throw an error.
Previously there was no possibility this activity could have
thrown an error.

Or think about sandboxing: malicious sandboxed code could just
insert a NaN into a table and make the surrounding supervisor
code crash later on.

You are opening the gates here ... I don't think everyone will
remember to wrap all potentially dangerous table traversals with
pcall(). This has the same potential for abuse as the inadvertent
user code execution problem with getmetatable() (fixed in
5.1-beta).

I don't care so much whether NaN can be inserted or not or
whether it can be retrieved or not. But breaking table traversals
is not a good idea IMHO.

Bye,
     Mike

Follow-Ups:
- Re: Lua 5.1 (beta) now available, Rici Lake

References:
- Re: Lua 5.1 (beta) now available, Rici Lake
- Re: Lua 5.1 (beta) now available, Roberto Ierusalimschy

Prev by Date: Re: 5.1 beta and closing files
Next by Date: again, luasocket
Previous by thread: Re: Lua 5.1 (beta) now available
Next by thread: Re: Lua 5.1 (beta) now available
Index(es):
- Date
- Thread