[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Bug: long strings with REALLY long delimiters …
- From: David Favro <lua@...>
- Date: Thu, 13 Dec 2018 22:09:27 +0000
On December 13, 2018 9:43:33 PM UTC, Coda Highland <email@example.com> wrote:
>On Thu, Dec 13, 2018 at 3:32 PM David Favro <firstname.lastname@example.org>
>> On December 13, 2018 9:01:52 PM UTC, Egor Skriptunoff
>> <email@example.com> wrote:
>> >On Thu, Dec 13, 2018 at 7:15 PM Roberto Ierusalimschy wrote:
>> >> it seems easier to just
>> >> limit the maximum number of '=' in a long bracket. I don't think
>> >> will mind a limit of 1000.
>> >IMO, it's not a good idea.
>> >If this limit is N, then minimal size of non-quotable string is
>> What's a "non-quotable string"?
>> Am I missing something or can't any string be represented as a
>> e.g. double-quote (") as delimiter and appropriate escaping of
>> characters? If so, I don't see your definition of "non-quotable",
>You're missing that Lua has another form of string literal (sometimes
>called "raw" strings) that treats its contents as verbatim instead of
>requiring special characters to be escaped. In this context,
>"non-quotable" means "a string that cannot be expressed using a raw
Yes, I kind of assumed that, perhaps I was being a little rhetorical, but I don't think that "non-quotable" is remotely an accurate description of such a string, not what people would normally assume that the phrase means, even in the context of a mailing-list thread on long-strings. And, while I've no idea what Egor meant about vulnerabilities surrounding them, I am imagining some kind of issue with a serialization library that tries to represent strings in the VM as Lua string literals for external storage being fed unquotable strings. In my experience, such libraries don't use long-strings and I don't think that string.format()'s %q does either. My point being that *any* string can be represented as a "quoted" Lua string literal, so I still ask for clarification what does "non-quotable" mean in this context, and why would such a string pose a vulnerability?