lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Oct 28, 2010 at 01:53:53PM -0600, HyperHacker wrote:
> On Thu, Oct 28, 2010 at 13:35, Luiz Henrique de Figueiredo
> This looks like something you could parse fairly trivially into Lua
> code like [[ square "square_name" {x=20, y=30...} ]], and then pass to
> luaL_dostring(). (This is valid syntax as long as square() returns
> another function for the table to be passed to). Just watch for the
> possibility of an injection attack if anyone is still creating files
> in this format.

That is exactly what I was thinking about.  I'm not familiar with the
API, but I knew luaL_dostring().

Also, without loading some libraries (without using luaopen_io() and
cousins) it wouldn't be more secure to run non-trusted code?  Of course
I want to make the parser not to generate dangerous code, but not using
some libraries would be a plus.  :-)

(I just saw that there is luaopen_table(), so it might be table
functions that make table manipulation easy).

Thank you!

-- 
Silas Silva