lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi:

On Thu, Dec 19, 2013 at 1:43 AM, Rena <hyperhacker@gmail.com> wrote:

> Really, there's no need I can see for a config file to ever use a loop, so
> what if we could just ask Lua "load this file, but throw an error if it
> contains any loop instructions"? Or, what if we could load the file,
> string.dump it, and examine the bytecode to see if it has any loops?

I disent. I have a configuration file with at least two loops ( not
presently in Lua, it's perl script which outputs the config files, but
I'm trying to embed lua in the program for, among other things, using
it for configuration ). One loop is a map {} ( which is a loop ) which
generates an ini section from each row on an array ( a perl LoL ). The
other one is used because I need to generate nearly identical sections
interpolating a counter value in each rep. IMO one of the reason for
using lua in the configs is it HAS control constructs.

And besides, you will need resource limits anyway, you will have at
least to protect yourself against a humonguous config file and things
like this. Malicious config file are not IMO the problem, as what I
normally understand for config is data fed by the owner of the
program, so if i fed a file which sends my process and sends it into
wild trashing is because either I wanted it to do so or I broke it,
and I get to keep the pieces ( these is why I normally have an option
on my critical programs to just load the config file and print it,
before feeding a config to a real process I can do a test load, and my
scripts do it automagically ). Scripts fed by users can be malicious,
but are not config.

Francisco Olarte.