lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

I'm just writing out a few values into a lua file that returns a table when i
call dofile on it. So... return {{some table params}} ... One of the params is a file path. I have a little process that grabs each of these little .lua files, loads it up, reads the params and does it thing accordingly. However, I can definitely see the security problems with that as well. I'll have to lock that down a bit at the end of it all. 


Quoting HyperHacker <hyperhacker@gmail.com>:


On Tue, Jun 15, 2010 at 20:00, Alex Queiroz <asandroq@gmail.com> wrote:

Hallo,

On Tue, Jun 15, 2010 at 10:57 PM,  <kenk@heroesent.com> wrote:

I'm having a serious brain fart here.. I start off with a string that holds
a file path, something like aFilePath = "c:\\a\\b\\c\\d\\filename.blah.. As
I pass it around in Lua, it removes the \ and becomes C:\a\b\c.. and so on.. Now I save the filepath to a file, it gets saved as C:\a\b\c\d etc.. without 
the added \\... now when i try to load up the file, I loose all \'s,
obviously because it think's these are escape sequences now... I shouldn't
have to replace these all the time with \\ ... how can I keep the file path
intact between saves and loads etc?



    You can write the string thus: aFilePath = [[c:\a\b\c\d\filename.blah]]

Cheers,
--
-alex
http://www.artisancoder.com/



What are you doing that causes configuration values to be unescaped?
The only thing I can think of is making your config file a Lua script,
or injecting strings from it into loadstring()'d code. If you're not
careful, either of these can be major security issues, and if you are
doing this for a good reason, look at string.format('%q', foo).

--
Sent from my toaster.






----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.