[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: [ANN] Lua 5.4.1 (rc1) now available
- From: Gé Weijers <ge@...>
- Date: Wed, 7 Oct 2020 17:38:37 -0700
On Wed, Oct 7, 2020 at 2:00 PM Roberto Ierusalimschy
> So, I don't see any bug here. (Of course, it would be better if we could
> improve the perforance of tables.)
One problem is that this can create an opportunity for DOS attacks if
the numbers are under the control of an attacker.
Strings have a similar problem if the 'step' parameter of luaS_hash is
> 1, you can create enormous amounts of strings that all hash to the
same value. This works for strings of length 41 and up in Lua 5.4.
Inserting a million maliciously crafted strings into the key position
of a table takes close to two hours on my laptop.
The question is whether this kind of "pathological" behavior should be
considered a bug or not.