[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Is Lua used as a data representation language?
- From: Robert Virding <robert.virding@...>
- Date: Tue, 8 Jan 2013 17:05:57 +0000 (GMT)
I don't think being defensive is good enough here. If you are accepting "data" into your system from the outside world you really have to be paranoid and assume they are out to get you. Because they will be! It is not much different building firewalls where the safest way is to start by blocking everything and then only allow the bare minimum. Depressing perhaps, but the only safe way to go.
Robert
----- Original Message -----
> From: "Thijs Schreijer" <thijs@thijsschreijer.nl>
> To: lua-l@lists.lua.org
> Sent: Tuesday, 8 January, 2013 11:19:56 AM
> Subject: Re: Is Lua used as a data representation language?
>
>
> > I think that having a data representation language which is
> > executable is
> > extremely dangerous and I would never use it unless the "data" came
> > from an extremely trusted source. Basically myself. Even if I had
> > written
> > my own interpreter for it. This is one case where data should
> > definitely
> > be data and nothing else.
> >
> > Robert
>
> In general I would agree to that, but it is also a very defensive
> point of view. I would like to see where this is going and whether
> it can be sandboxed well enough to be safe enough (whatever that
> might be).
> If you don't try, you won't know.
>
> Thijs