lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 



On 2017-07-27 12:46 PM, Coda Highland wrote:

On Thu, Jul 27, 2017 at 10:27 AM, Soni L. <fakedme@gmail.com> wrote:


On 2017-07-27 02:50 AM, Mikhail Zaycev wrote:

"Lua does not check the consistency of binary chunks. Maliciously crafted
binary chunks can crash the interpreter."
(https://www.lua.org/manual/5.3/manual.html#pdf-load)

I think, load() should not be available to user. Potentially it is as
dangerous as os.execute().


HMAC on string.dump(), verify HMAC on load().

--
Disclaimer: these emails may be made public at any given time, with or
without reason. If you don't agree with this, DO NOT REPLY.



Wrap `load()` in a function that rejects binary chunks.

/s/ Adam



Faster load times for multi-megabyte blocks of code.

--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.