lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]




On Wed, Sep 13, 2023 at 10:22 AM Thijs Schreijer <thijs@thijsschreijer.nl> wrote:

iirc this was exactly the reason a CVE was reported for a DoS hashing attack, and this was the fix. (please correct me if I'm wrong)

From memory: Lua used to intern very long strings, and use a hash that skipped characters for performance sake. You could then generate lots and lots of strings that hashed to the same value but were different and bring the implementation to its knees by generating lots of hash collisions. The hash is now seeded with a random value generated when the interpreter starts up, and hashing of long strings is only performed on demand. If you read a 10 Mbyte file into a string you typically don't use it as a table key, so hashing would not be necessary and would lower performance especially if you don't skip characters.


Ge'