[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: io:lines() and \0
- From: Tim Hill <drtimhill@...>
- Date: Sat, 22 Feb 2014 17:30:19 -0800
On Feb 22, 2014, at 4:16 PM, Petite Abeille <petite.abeille@gmail.com> wrote:
>
> On Feb 23, 2014, at 12:48 AM, Tim Hill <drtimhill@gmail.com> wrote:
>
>> No,
>
> Shocker.
>
>> but it’s clear that io:lines() is a dangerous API to use unless you have complete control over the input dataset.
>
> ( Meh. Sounds like a drama-queen argument, with a dose of tunnel vision. Anyway, to each their own. )
>
>
No not at all. Think for a minute. When you feed io:lines() malformed input it generates odd results, with no errors. This is pay-dirt for hackers trying to break into computer systems. A hacker sits down, finds some naive Lua code on a web server that uses io:lines() and then feeds it various inputs with ‘\0’ characters until he gets something “interesting” to happen. And this isn’t paranoia, there have been far less obvious vulnerabilities used in the past for some pretty dramatic exploits.
—Tim
- References:
- io:lines() and \0, René Rebe
- Re: io:lines() and \0, steve donovan
- Re: io:lines() and \0, René Rebe
- Re: io:lines() and \0, Enrico Colombini
- Re: io:lines() and \0, steve donovan
- Re: io:lines() and \0, René Rebe
- Re: io:lines() and \0, Craig Barnes
- Re: io:lines() and \0, René Rebe
- Re: io:lines() and \0, Sean Conner
- Re: io:lines() and \0, René Rebe
- Re: io:lines() and \0, Tim Hill
- Re: io:lines() and \0, Dirk Laurie
- Re: io:lines() and \0, Andrew Starks
- Re: io:lines() and \0, Dirk Laurie
- Re: io:lines() and \0, Tim Hill
- Re: io:lines() and \0, Dirk Laurie
- Re: io:lines() and \0, Petite Abeille
- Re: io:lines() and \0, Tim Hill
- Re: io:lines() and \0, Petite Abeille