 |
lua-l archive |
|
|
||
|
On 03/03/2017 12:53, op7ic \x00 wrote:
In the usual Lua philosophy, the language provides mechanisms not policies. Therefore Lua team avoids putting arbitrary limits where there is no clear reasonable choice.fair enough. In that case its "unintended side-effect" ;) I`m not entirely sure what would be the best solution as in current state running code above would just DoS the system .. On Fri, Mar 3, 2017 at 11:17 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:2017-03-03 13:03 GMT+02:00 op7ic \x00 <op7ica@gmail.com>:version: lua 5.3.4 I`m not this is really a bugYes, we have been told to use the word sparingly. Maybe call it an "unintended side-effect".
What could that limit be? For a MCU, for example, 16 bytes could also be a reasonable limit. On a huge server machine 1GiB could be reasonable.
I agree that 59GB sounds fairly unreasonable, for today's standards, but the point is, there is no hard and fast value good for every situations.
Anyway the solution is easy, just enclose the io.read function in a wrapper function that does size checking against a limit reasonable for _your_ setup/system.
You might also want to wrap that function globally, so that any usage of the standard io.read would be checked. This could be useful to enforce policies across all parts of a bigger app.
Of course these measures are good to prevent programming mistakes, not as a robust security measure against DoS attacks. In this latter case you'd need to design the whole system against those threats (not easy stuff and probably impossible on Lua side alone without setting up properly the OS environment as well).
Cheers! -- Lorenzo