lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On December 13, 2018 9:43:33 PM UTC, Coda Highland <> wrote:
>On Thu, Dec 13, 2018 at 3:32 PM David Favro <>
>>   On December 13, 2018 9:01:52 PM UTC, Egor Skriptunoff 
>> <> wrote:
>>   >On Thu, Dec 13, 2018 at 7:15 PM Roberto Ierusalimschy wrote:
>>   >> it seems easier to just
>>   >> limit the maximum number of '=' in a long bracket. I don't think
>>   >people
>>   >> will mind a limit of 1000.
>>   >
>>   >IMO, it's not a good idea.
>>   >If this limit is N, then minimal size of non-quotable string is
>>   >0.5*N^2
>>   What's a "non-quotable string"?
>>   Am I missing something or can't any string be represented as a
>literal with 
>> e.g. double-quote (") as delimiter and appropriate escaping of
>> characters?  If so, I don't see your definition of "non-quotable",
>could you 
>> elaborate?
>You're missing that Lua has another form of string literal (sometimes
>called "raw" strings) that treats its contents as verbatim instead of
>requiring special characters to be escaped. In this context,
>"non-quotable" means "a string that cannot be expressed using a raw
>string literal".
>/s/ Adam

Yes, I kind of assumed that, perhaps I was being a little rhetorical, but I don't think that "non-quotable" is remotely an accurate description of such a string, not what people would normally assume that the phrase means, even in the context of a mailing-list thread on long-strings.  And, while I've no idea what Egor meant about vulnerabilities surrounding them, I am imagining some kind of issue with a serialization library that tries to represent strings in the VM as Lua string literals for external storage being fed unquotable strings.  In my experience, such libraries don't use long-strings and I don't think that string.format()'s %q does either.  My point being that *any* string can be represented as a "quoted" Lua string literal, so I still ask for clarification what does "non-quotable" mean in this context, and why would such a string pose a vulnerability?