On Thu, Jul 27, 2017 at 10:27 AM, Soni L. <fakedme@gmail.com> wrote:
On 2017-07-27 02:50 AM, Mikhail Zaycev wrote:
"Lua does not check the consistency of binary chunks. Maliciously crafted
binary chunks can crash the interpreter."
(https://www.lua.org/manual/5.3/manual.html#pdf-load)
I think, load() should not be available to user. Potentially it is as
dangerous as os.execute().
HMAC on string.dump(), verify HMAC on load().
--
Disclaimer: these emails may be made public at any given time, with or
without reason. If you don't agree with this, DO NOT REPLY.
Wrap `load()` in a function that rejects binary chunks.
/s/ Adam