Re: unescape lua string (opposite of %q)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: unescape lua string (opposite of %q)
From: Kristofer Karlsson <kristofer.karlsson@...>
Date: Sun, 6 Jun 2010 20:47:57 +0200

One suggestion for the unescape is to first use loadstring, and then use string.dump to verify that it contains no harmful code.
Basically, you just need to check that the function consists of two opcodes. one LOADK for the string data, and one RETURN, which should be fairly easy to verify.

On Sun, Jun 6, 2010 at 2:37 PM, Shmuel Zeigerman <shmuz@013net.net> wrote:

Erik Lindroos wrote:

The above function is not fully correct but it is 100% secure. No
input can cause the execution of 'str' itself.

Except of course something like:

print(reverse_q("\\\\\" .. (1+1) -- \\"))

Oops. I stand corrected. Time to fix some of my own code. Thanks.

--
Shmuel

Follow-Ups:
- Re: unescape lua string (opposite of %q), Shmuel Zeigerman

References:
- unescape lua string (opposite of %q), Graham Wakefield
- Re: unescape lua string (opposite of %q), Luiz Henrique de Figueiredo
- Re: unescape lua string (opposite of %q), Jonathan Castello
- Re: unescape lua string (opposite of %q), Luiz Henrique de Figueiredo
- Re: unescape lua string (opposite of %q), Jonathan Castello
- Re: unescape lua string (opposite of %q), Ricardo Ramos Massaro
- Re: unescape lua string (opposite of %q), Jonathan Castello
- Re: unescape lua string (opposite of %q), HyperHacker
- Re: unescape lua string (opposite of %q), Shmuel Zeigerman
- Re: unescape lua string (opposite of %q), Erik Lindroos
- Re: unescape lua string (opposite of %q), Shmuel Zeigerman

Prev by Date: Re: Module system curiosity
Next by Date: Re: Renaming Lua
Previous by thread: Re: unescape lua string (opposite of %q)
Next by thread: Re: unescape lua string (opposite of %q)
Index(es):
- Date
- Thread