Re: Malicious Lua 5.1 bytecode in the real world

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Malicious Lua 5.1 bytecode in the real world
From: Peter Cawley <lua@...>
Date: Mon, 16 Sep 2013 18:05:33 +0100

On Mon, Sep 16, 2013 at 5:36 AM, Tim Hill <drtimhill@gmail.com> wrote:
> Presumably the root problem here is the call to luaL_dofile(), which implicitly allows bytecode as well as text loading.

Indeed, the lua_load family in 5.1 implicitly allow bytecode loading,
and you need to inspect the first byte of your input if you wish to
disable it. At least in 5.2 most of the lua_load family accept a mode
parameter which make it easier to disable bytecode loading.

References:
- Malicious Lua 5.1 bytecode in the real world, Peter Cawley
- Re: Malicious Lua 5.1 bytecode in the real world, Tim Hill

Prev by Date: [ANN] lua5.1.js v0.9.1
Next by Date: Re: Why Lua is not more popular
Previous by thread: Re: Malicious Lua 5.1 bytecode in the real world
Next by thread: [ANN] lua-libmemcached, simple Lua binding for libmemcached
Index(es):
- Date
- Thread