lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 03/03/2017 12:53, op7ic \x00 wrote:
fair enough. In that case its "unintended side-effect" ;) I`m not
entirely sure what would be the best solution as in current state
running code above would just DoS the system ..

On Fri, Mar 3, 2017 at 11:17 AM, Dirk Laurie <> wrote:
2017-03-03 13:03 GMT+02:00 op7ic \x00 <>:

version: lua 5.3.4

I`m not this is really a bug

Yes, we have been told to use the word sparingly. Maybe call it
an "unintended side-effect".

In the usual Lua philosophy, the language provides mechanisms not policies. Therefore Lua team avoids putting arbitrary limits where there is no clear reasonable choice.

What could that limit be? For a MCU, for example, 16 bytes could also be a reasonable limit. On a huge server machine 1GiB could be reasonable.

I agree that 59GB sounds fairly unreasonable, for today's standards, but the point is, there is no hard and fast value good for every situations.

Anyway the solution is easy, just enclose the function in a wrapper function that does size checking against a limit reasonable for _your_ setup/system.

You might also want to wrap that function globally, so that any usage of the standard would be checked. This could be useful to enforce policies across all parts of a bigger app.

Of course these measures are good to prevent programming mistakes, not as a robust security measure against DoS attacks. In this latter case you'd need to design the whole system against those threats (not easy stuff and probably impossible on Lua side alone without setting up properly the OS environment as well).


-- Lorenzo