lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]



On 2019-06-29 2:57 p.m., Philippe Verdy wrote:
Le ven. 28 juin 2019 à 22:07, Soni "They/Them" L. <fakedme@gmail.com <mailto:fakedme@gmail.com>> a écrit :
    On 2019-06-27 8:47 p.m., Philippe Verdy wrote:
    > Allowing a program to control the scoping of outer varisables
    they did
    > not declare themselves is a crazy and dangerous idea.

    If you're concatenating attacker code into your program code, you
    have
    bigger issues. (see: SQL injection)


True but this does not contradict what I said, it's an independant consideration.
    You cannot unset globals and upvalues. It is an error.


There's no such "globals" in Lua, there are only "closures" (containing upvalues including "_G").
Yes it is an error if you true to unset them because they are not 
really in a scope you can override.
But even if you're in a simple do/end block, or in a for...end loop 
declaring local loop variables, or after any "local" declaration, you 
have a new (embedded) lexical scope that should still behave like a 
closure and offer the protection:
Alowing such "unsets" of variables in outer scopes (that are still not 
in an outer closure) is also crazy and dangerous (unless you say that, 
to get the protection, you need to create and call a local function to 
explicitly create a new closure: the code in the function must never 
be able to unset variables from any outer visibility scope which is 
not inside the current closure.

There's nothing unsafe about "unset" because it's exactly equivalent to 
renaming your (local) variables.