lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Thu, Jul 27, 2017 at 10:53 AM, Soni L. <fakedme@gmail.com> wrote:
>
>
> On 2017-07-27 12:46 PM, Coda Highland wrote:
>>
>> On Thu, Jul 27, 2017 at 10:27 AM, Soni L. <fakedme@gmail.com> wrote:
>>>
>>>
>>> On 2017-07-27 02:50 AM, Mikhail Zaycev wrote:
>>>>
>>>> "Lua does not check the consistency of binary chunks. Maliciously
>>>> crafted
>>>> binary chunks can crash the interpreter."
>>>> (https://www.lua.org/manual/5.3/manual.html#pdf-load)
>>>>
>>>> I think, load() should not be available to user. Potentially it is as
>>>> dangerous as os.execute().
>>>>
>>> HMAC on string.dump(), verify HMAC on load().
>>>
>>> --
>>> Disclaimer: these emails may be made public at any given time, with or
>>> without reason. If you don't agree with this, DO NOT REPLY.
>>>
>>>
>> Wrap `load()` in a function that rejects binary chunks.
>>
>> /s/ Adam
>>
>
> Faster load times for multi-megabyte blocks of code.
>
> --
> Disclaimer: these emails may be made public at any given time, with or
> without reason. If you don't agree with this, DO NOT REPLY.
>
>

This is a demo page that we're trying to keep from misbehaving, not a
production system that needs optimized.

/s/ Adam