Le ven. 28 juin 2019 à 22:07, Soni "They/Them" L. <fakedme@gmail.com
<mailto:fakedme@gmail.com>> a écrit :
On 2019-06-27 8:47 p.m., Philippe Verdy wrote:
> Allowing a program to control the scoping of outer varisables
they did
> not declare themselves is a crazy and dangerous idea.
If you're concatenating attacker code into your program code, you
have
bigger issues. (see: SQL injection)
True but this does not contradict what I said, it's an independant
consideration.
You cannot unset globals and upvalues. It is an error.
There's no such "globals" in Lua, there are only "closures"
(containing upvalues including "_G").
Yes it is an error if you true to unset them because they are not
really in a scope you can override.
But even if you're in a simple do/end block, or in a for...end loop
declaring local loop variables, or after any "local" declaration, you
have a new (embedded) lexical scope that should still behave like a
closure and offer the protection:
Alowing such "unsets" of variables in outer scopes (that are still not
in an outer closure) is also crazy and dangerous (unless you say that,
to get the protection, you need to create and call a local function to
explicitly create a new closure: the code in the function must never
be able to unset variables from any outer visibility scope which is
not inside the current closure.
