lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Mon, Jan 27, 2014 at 12:04 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
2014-01-27 Rena <hyperhacker@gmail.com>:
> On Sun, Jan 26, 2014 at 6:03 PM, Robert Raschke <rtrlists@googlemail.com>
> wrote:
>>
>> You could probably do something along the lines of:
>>
>> f = assert( io.open("table.txt") )
>> s = f:read("*a")
>> f:close()
>> t = assert( loadstring("{"..s.."}") )()
>>
>> I think this will work in 5.1. But in 5.2 you'll need to do something else
>> for loadstring().
>>
>> Robby
>
> It'd have to be:
> t = assert( loadstring("return {"..s.."}") )()
>
> (and of course this still assumes the input is trustworthy.)

1. `loadstring` in Lua 5.2 with default compiler settings is exactly
the same function as `load`, and with compatibility settings off
does not exist.
2. If the input is not trustworthy, you can say
safe={}
t = assert( loadstring("return {"..s.."}",nil,nil,safe) )()
This runs the table specification with no libraries.
If this is too restrictive, just put the minimal features
that you wish to allow in `safe`.


You should also disallow loading binary chunks, because those can be crafted to exploit the VM. Also, this won't prevent a malicious script from just looping and hogging memory and CPU.

--
Sent from my Game Boy.