lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

>  > The randomized seed is sufficient to protect against attacking a Lua-based
>  > program by providing a fixed malicious input that reliably works across
>  > runs. 
> Shouldn't it be possible to provide a malicious input that consists of
> strings of length 32 to 40 that differ only in characters that don't
> contribute to the hash?  That would work reliably across runs?
> I'm trying to understand what sort of attack is being defended
> against.  So far the only attack I understand is an attack against the
> performance of strings that are used by the implementation, like "__index".
> The seed renders such an attack impossible.
> Is there any other attack that's defended against here?

The problem you mentioned is not restricted to strings between 32 and
40 bytes, because often those strings go as keys to a table (e.g.,
collecting key-value pairs in a request) and can create collisions in
that table. That said, we thought about this issue at the time and
concluded it would not be a problem, but I cannot recall why :-)
(Maybe the program should prevent long keys in such a table?)

Anyway, you are right that it would be safer to avoid these collitions
in the internal table, at least. (That is, all short strings should use
all bytes for their hash.)

-- Roberto