lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Kristofer Karlsson wrote:
One suggestion for the unescape is to first use loadstring, and then use
string.dump to verify that it contains no harmful code.
Basically, you just need to check that the function consists of two
opcodes. one LOADK for the string data, and one RETURN, which should be
fairly easy to verify.

Okay, this verifies the string and detects harmful code, if any.
But the original problem ("unescape") has nothing to do with harmful code, it's a specific solution ("loadstring solution") that can be exploited maliciously. Thus, if we detected harmful code, we cannot run the compiled chunk and so cannot get the "unescaped" string.

FWIW, here is what I ended up with (Lrexlib/PCRE is used):

local map = {
  a='\a', b='\b', f='\f', n='\n', r='\r', t='\t',
  v='\v', ['\\']='\\', ['\"']='\"', ['\'']='\''
}

function unescape (str)
  str = rex.gsub (str, [[\\(\d\d?\d?)|\\(.?)]],
    function (c1, c2)
      if c2 then return map[c2] or c2 end
      local n = tonumber (c1)
      assert (n < 256, "escape sequence too large")
      return string.char(n)
    end)
  return str
end

--
Shmuel