lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Jul 27, 2017 at 10:27 AM, Soni L. <fakedme@gmail.com> wrote:
>
>
> On 2017-07-27 02:50 AM, Mikhail Zaycev wrote:
>>
>> "Lua does not check the consistency of binary chunks. Maliciously crafted
>> binary chunks can crash the interpreter."
>> (https://www.lua.org/manual/5.3/manual.html#pdf-load)
>>
>> I think, load() should not be available to user. Potentially it is as
>> dangerous as os.execute().
>>
>
> HMAC on string.dump(), verify HMAC on load().
>
> --
> Disclaimer: these emails may be made public at any given time, with or
> without reason. If you don't agree with this, DO NOT REPLY.
>
>

Wrap `load()` in a function that rejects binary chunks.

/s/ Adam