[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Penlight fixes: request for review
- From: steve donovan <steve.j.donovan@...>
- Date: Mon, 23 Apr 2012 15:58:43 +0200
Hi all,
I've pushed some fixes to Penlight and would like some comment.
- pl.Date[1] should behave better, due to a more _careful_ reading of
the ISO 8601 standard. I've used Sean Conner's recipe for working out
the timezone. But this is hard stuff and I'd appreciate a review.
- pl.stringio[2] was recently in the news, and I've fixed the
missing-blank line problem, together with an unrelated problem with
multiple '*n' with floating-point format numbers. An enhancement is
that lines() now understands '*L' and behaves according to the Lua 5.2
spec. As requested, I am going to make this one available as a
separate Rock.
- pl.pretty.read[3] has become more paranoid - it switches off the
string metatable's __index when loading so people can't do mischief
with string methods. (It already forbids use of functions).
pl.pretty.load is now documented, and does a similar job for
'top-level' configuration-style files. The second (optional) arg is
the environment (nil by default) and the third optional arg is called
'paranoid', which uses a lexical scanner to prevent any looping
constructs from sneaking in. So the challenge is to see if anyone can
sneak an exploit past these functions.
The corresponding tests give a good idea of the edge cases considered [4]
It is also passing all tests with Lua 5.2 in default 'unforgiving'
mode, e.g. no loadstring or global unpack.
steve d.
[1] https://github.com/stevedonovan/Penlight/blob/master/lua/pl/Date.lua
[2] https://github.com/stevedonovan/Penlight/blob/master/lua/pl/stringio.lua
[3] https://github.com/stevedonovan/Penlight/blob/master/lua/pl/pretty.lua
[4] https://github.com/stevedonovan/Penlight/tree/master/tests
