lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Dec 13, 2018 at 3:02 PM Egor Skriptunoff
<egor.skriptunoff@gmail.com> wrote:
>
> On Thu, Dec 13, 2018 at 7:15 PM Roberto Ierusalimschy wrote:
>>
>> it seems easier to just
>> limit the maximum number of '=' in a long bracket. I don't think people
>> will mind a limit of 1000.
>
>
> IMO, it's not a good idea.
> If this limit is N, then minimal size of non-quotable string is about 0.5*N^2
> Existence of non-quotable strings may crash some Lua programs by maliciously crafted input.
> N should be at least 10^6 to make sure non-quotable strings are unrealistically huge.
>

A string from anywhere but a literal in the source code isn't affected
by this issue. If maliciously crafted input can be a problem in your
application, then that means you're running user-supplied scripts. And
if you're running user-supplied scripts, then it wouldn't crash here
-- the load() call would just return an error. And if you're not
dealing with load errors when you're dealing with user-supplied
scripts, that's your own fault, not Lua's.

/s/ Adam