lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi everyone,

As a developer of probably one of the largest projects depending on
LuaExpat, I've just taken maintainership of the module, which has been
untended for a few years now.

This release brings a minimal number of API changes, in fact just
enough for an application to prevent what has become known as the
"billion laughs" attack. This attack is of importance to anyone
processing XML from untrusted sources - successfully exploiting it
causes the parser to consume large amounts of CPU and RAM, effectively
a denial of service against the process and sometimes the machine.
More information at:
http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html#N100F1

The 1.2.0 tarball can be found at
http://matthewwild.co.uk/projects/luaexpat/luaexpat-1.2.0.tar.gz
Fabio has already pushed the release into the LuaRocks repository.

LuaExpat also now has a source repository at
http://code.matthewwild.co.uk/lua-expat

In the long term I plan to extend the API to make it a little more
complete, like adding the remaining missing callbacks and allowing
resume after parser:stop(). Any suggestions or feedback welcome here
or direct to me.

Regards,
Matthew

PS. I nearly forgot: Expat is an XML parsing library. XML is an
extensible markup language. Laughter is... never mind.