lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

* Matthew P. Del Buono:

> Florian Weimer wrote:
>> * Roberto Ierusalimschy:
>>> Excluding malware, I do not think this situation happens enough to
>>> justify any worry.
>> I know the argument: anybody who wants to take out your web server can
>> just flood it with 5 Gbps of traffic (or more if necessary).
> I think you already have an issue if you're being flooded like that
> anyway.

Well, the idea behind that argument is that those attacks are readily
available, so you don't have to guard against anything.  I don't
really buy it.

>> Would an uninterned string type introduce too many additional code
>> paths in the VM?
> Why make a change to the VM? Why can't you just do it yourself?

Because I'd lose interoperability.

> Following the above logic, we can implement uninterned strings trivially
> as userdata. An __eq metamethod can be provided which passes off
> execution to strcmp (additional work may be neccessary to handle strings
> with zeros). We would use this userdata only for "insecure" strings,
> that is, strings that the remote user can influence. If we need to test
> between interned strings and our userdata, the userdata could provide a
> method through __index that allows for comparison against a string.

If I want to do use some existing code, I need to convert the data to
a real string, which exposes my code to interning.  The VM can present
the uninterned string as a regular string to C routines, for instance.