lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

I agree about the security concerns, especially when using serialized data as an RPC format. An additional problem is that standard Lua bytecodes don't work between little and big endian systems, which would make it less useful as an RPC format.
Ideally the binary format should be exchangable between systems. There's more out there than the x86 architecture. 

Ge'

Alexander Gladysh wrote:

On Mon, Feb 23, 2009 at 4:36 AM, Alexander Gladysh <agladysh@gmail.com> wrote:

On Mon, Feb 23, 2009 at 4:18 AM, Luiz Henrique de Figueiredo <lhf@tecgraf.puc-rio.br> wrote:

I wrote a small and simple library called "luabins" to serialize and
unserialize trivial Lua values (including tables) into arbitrary
binary data format.



My approach to this problem is to use Lua bytecode format instead of
inventing yet another binary format.


<...>


I've seen your solution. But I have some problems with it:



1. Lua bytecode is unsafe and may crash Lua. <...>


Sorry, I've got carried away. Problem 1 is sufficient in our case.

Unless Lua bytecode is somehow proven as crash-safe as Lua sources, it
may not be used as a data format.

Of course, my custom binary format is not proven safe as well. But
both format and implementation are much simpler than Lua bytecode and
Lua VM -- they are designed to solve much simpler problems.

Also, how do I protect from, say, infinite loops embedded into
bytecode I'm about to load? Putting hooks or pre-parsing it is likely
to degrade performance considerably.

Alexander.