[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Bug: long strings with REALLY long delimiters …
- From: Tim Hill <drtimhill@...>
- Date: Thu, 13 Dec 2018 14:35:20 -0800
> On Dec 13, 2018, at 2:09 PM, David Favro <email@example.com> wrote:
> Yes, I kind of assumed that, perhaps I was being a little rhetorical, but I don't think that "non-quotable" is remotely an accurate description of such a string, not what people would normally assume that the phrase means, even in the context of a mailing-list thread on long-strings. And, while I've no idea what Egor meant about vulnerabilities surrounding them, I am imagining some kind of issue with a serialization library that tries to represent strings in the VM as Lua string literals for external storage being fed unquotable strings. In my experience, such libraries don't use long-strings and I don't think that string.format()'s %q does either. My point being that *any* string can be represented as a "quoted" Lua string literal, so I still ask for clarification what does "non-quotable" mean in this context, and why would such a string pose a vulnerability?
The official Lua term for these is “long format literal strings” (Lua Ref Manual 5.3). And +1 that with appropriate escaping both long and non-long (short?) literals can represent any sequence of bytes.