Re: Some thoughts on security

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Some thoughts on security
From: Pierre-Yves Gérardy <pygy79@...>
Date: Mon, 12 Dec 2016 01:20:27 +0100

On Mon, Dec 12, 2016 at 1:11 AM, Nagaev Boris <bnagaev@gmail.com> wrote:
> On 11 Dec 2016 4:00 pm, "Pierre-Yves Gérardy" <pygy79@gmail.com> wrote:
> On Mon, Dec 12, 2016 at 12:21 AM, Samuel Groß <mail@samuel-gross.com> wrote:
>> [6]: "We have always considered it unacceptable for a Lua program to be
>> able
>> to crash the host application. Lua should be a safe language.". This seems
>> to be clearly violated here.
>
> Beside what Daurnimator said in a parallel thread, the sentence you
> quoted applies to Lua source code, not bytecode.
>
> Lua program can load bytecode using load function.

And the potential crashes are acknowledged at the end of
http://www.lua.org/manual/5.3/manual.html#pdf-load :

"Lua does not check the consistency of binary chunks. Maliciously
crafted binary chunks can crash the interpreter."

Also, you can call `load` in "t" mode, it will reject bytecode (it
would be nice it it was the default behavior).

—Pierre-Yves

References:
- Some thoughts on security, Samuel Groß
- Re: Some thoughts on security, Pierre-Yves Gérardy
- Re: Some thoughts on security, Nagaev Boris

Prev by Date: Re: Some thoughts on security
Next by Date: Re: Some thoughts on security
Previous by thread: Re: Some thoughts on security
Next by thread: Re: Some thoughts on security
Index(es):
- Date
- Thread