lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sat, Jun 5, 2010 at 01:06, Jonathan Castello <twisolar@gmail.com> wrote:
> On Fri, Jun 4, 2010 at 11:37 PM, Ricardo Ramos Massaro
> <ricardo.massaro@gmail.com> wrote:
>> On Sat, Jun 5, 2010 at 3:18 AM, Jonathan Castello <twisolar@gmail.com> wrote:
>>> ----
>>> local input = [["line1"\nline2]]
>>> input = input:gsub([["]], [[\"]])
>>> local output = loadstring("return \"" .. input .. "\"")()
>>> ----
>>
>> This one fails if the input contains a backslash followed by a double quote.
>>
>> -Ricardo
>>
>
> Bleh, good catch. I can't believe I forgot about these two.
>
> ----
> function reverse_q(str)
> str = str:gsub([[\?"]], [[\"]])
> return (assert(loadstring("return \"" .. str .. "\""))())
> end
> ----
>
> Test: print(reverse_q[[\\\n\"]])
> Output:
> \
> "
>
> Those two should be the only ones you have to worry about, I think. \
> is obvious, and " is because I'm using \" in loadstring.
>
> ~Jonathan
>

Anything using loadstring is going to introduce security issues if
someone manages to break out of your string. The only good way to do
this is to replace individual sequences, i.e. gsub("\\n", "\n"). As
soon as you write that, the "\\" in the first string becomes a single
"\", and the "\n" in the second becomes an actual line break; the
interpreter never sees "\\".

-- 
Sent from my toaster.