[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Malicious Lua 5.1 bytecode in the real world
- From: Peter Cawley <lua@...>
- Date: Mon, 16 Sep 2013 18:05:33 +0100
On Mon, Sep 16, 2013 at 5:36 AM, Tim Hill <email@example.com> wrote:
> Presumably the root problem here is the call to luaL_dofile(), which implicitly allows bytecode as well as text loading.
Indeed, the lua_load family in 5.1 implicitly allow bytecode loading,
and you need to inspect the first byte of your input if you wish to
disable it. At least in 5.2 most of the lua_load family accept a mode
parameter which make it easier to disable bytecode loading.