lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I've been following along, and while I've seen credible claims that
lua is susceptible to:

http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt

I haven't seen any lua code that proves it.

There isn't a standard POST parser in lua, but it should be possible
for someone who believes this is a significant issue to write a small
lua program that parses a 2 MB string of key/value pairs into a hash
table and takes many hours to do so (for example, before it was
modified, ruby could be caused to take 6 hours of i7 CPU time to parse
a 2 MB post request).

Without such code, its a bit hard to see this problem as anything
other than theoretical, and impossible to know whether any proposed
changes actually are effective.

Cheers,
Sam