[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Some thoughts on security
- From: Pierre-Yves Gérardy <pygy79@...>
- Date: Mon, 12 Dec 2016 01:20:27 +0100
On Mon, Dec 12, 2016 at 1:11 AM, Nagaev Boris <firstname.lastname@example.org> wrote:
> On 11 Dec 2016 4:00 pm, "Pierre-Yves Gérardy" <email@example.com> wrote:
> On Mon, Dec 12, 2016 at 12:21 AM, Samuel Groß <firstname.lastname@example.org> wrote:
>> : "We have always considered it unacceptable for a Lua program to be
>> to crash the host application. Lua should be a safe language.". This seems
>> to be clearly violated here.
> Beside what Daurnimator said in a parallel thread, the sentence you
> quoted applies to Lua source code, not bytecode.
> Lua program can load bytecode using load function.
And the potential crashes are acknowledged at the end of
"Lua does not check the consistency of binary chunks. Maliciously
crafted binary chunks can crash the interpreter."
Also, you can call `load` in "t" mode, it will reject bytecode (it
would be nice it it was the default behavior).