lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Please show me some sample JSON code that this decoder can't handle
properly.

Because it's not on your list yet:

> json_decode '{ "fail": os.execute("echo oops!") }'
oops!
< table: 0x17c2600
<<	fail	true

(Where does the JSON come from?  Can you trust the sources...
  ...to not intentionally do this?
  ...to properly handle all inputs and not accidentally generate this?
  ...not to get hacked ever so no attacker will send this?)

Until now, no one said that [1] is broken. So just replacing load("...")() with something along those lines should be (/ is?) enough to handle direct escape attempts.

-- nobody

[1]: http://lua-users.org/lists/lua-l/2017-03/msg00232.html