[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Bug: long strings with REALLY long delimiters…
- From: Coda Highland <chighland@...>
- Date: Thu, 13 Dec 2018 15:14:55 -0600
On Thu, Dec 13, 2018 at 3:02 PM Egor Skriptunoff
> On Thu, Dec 13, 2018 at 7:15 PM Roberto Ierusalimschy wrote:
>> it seems easier to just
>> limit the maximum number of '=' in a long bracket. I don't think people
>> will mind a limit of 1000.
> IMO, it's not a good idea.
> If this limit is N, then minimal size of non-quotable string is about 0.5*N^2
> Existence of non-quotable strings may crash some Lua programs by maliciously crafted input.
> N should be at least 10^6 to make sure non-quotable strings are unrealistically huge.
A string from anywhere but a literal in the source code isn't affected
by this issue. If maliciously crafted input can be a problem in your
application, then that means you're running user-supplied scripts. And
if you're running user-supplied scripts, then it wouldn't crash here
-- the load() call would just return an error. And if you're not
dealing with load errors when you're dealing with user-supplied
scripts, that's your own fault, not Lua's.