lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Dec 29, 2011 at 1:55 PM, Mark Hamburg <mark@grubmah.com> wrote:
> A secure implementation would introduce some randomizing element per run or per Lua universe that would result in hash values that would collide under some conditions not colliding under others.

this seems to be what Perl and Ruby did, and what Python doesn't want
to (relegating the issue to web framework developers).

In Lua case, it seems that the problem isn't fixable at application
(or framework) level, since the string-interning mechanism has the
same weakness before one starts processing POST arguments into a
table.

Personally, i'm not that worried, because it seems that a proxy in
front of the Lua server mitigates most of the problem.  still, keeping
the issue open wouldn't do any good for Lua reputation and general
applicability.

I think that a simple solution, like making the char-skipping method
different for every Lua State should be enough.

-- 
Javier