Re: Simple Lua-only JSON decoder

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Simple Lua-only JSON decoder
From: nobody <nobody+lua-list@...>
Date: Mon, 17 Apr 2017 19:58:58 +0200

Please show me some sample JSON code that this decoder can't handle
properly.


Because it's not on your list yet:

> json_decode '{ "fail": os.execute("echo oops!") }'
oops!
< table: 0x17c2600
<<	fail	true

(Where does the JSON come from?  Can you trust the sources...
  ...to not intentionally do this?
  ...to properly handle all inputs and not accidentally generate this?
  ...not to get hacked ever so no attacker will send this?)

Until now, no one said that [1] is broken. So just replacingload("...")() with something along those lines should be (/ is?) enoughto handle direct escape attempts.


-- nobody

[1]: http://lua-users.org/lists/lua-l/2017-03/msg00232.html

References:
- Simple Lua-only JSON decoder, Dirk Laurie

Prev by Date: Re: Simple Lua-only JSON decoder
Next by Date: Re: Simple Lua-only JSON decoder
Previous by thread: Re: Simple Lua-only JSON decoder
Next by thread: Re: Simple Lua-only JSON decoder
Index(es):
- Date
- Thread