Re: io:lines() and 0円
[
Date Prev][
Date Next][
Thread Prev][
Thread Next]
[
Date Index]
[
Thread Index]
- Subject: Re: io:lines() and 0円
- From: Tim Hill <drtimhill@...>
- Date: 2014年2月22日 17:30:19 -0800
On Feb 22, 2014, at 4:16 PM, Petite Abeille <petite.abeille@gmail.com> wrote:
>
> On Feb 23, 2014, at 12:48 AM, Tim Hill <drtimhill@gmail.com> wrote:
>
>> No,
>
> Shocker.
>
>> but it’s clear that io:lines() is a dangerous API to use unless you have complete control over the input dataset.
>
> ( Meh. Sounds like a drama-queen argument, with a dose of tunnel vision. Anyway, to each their own. )
>
>
No not at all. Think for a minute. When you feed io:lines() malformed input it generates odd results, with no errors. This is pay-dirt for hackers trying to break into computer systems. A hacker sits down, finds some naive Lua code on a web server that uses io:lines() and then feeds it various inputs with ‘0円’ characters until he gets something “interesting” to happen. And this isn’t paranoia, there have been far less obvious vulnerabilities used in the past for some pretty dramatic exploits.
—Tim
- References:
- io:lines() and 0円, René Rebe
- Re: io:lines() and 0円, steve donovan
- Re: io:lines() and 0円, René Rebe
- Re: io:lines() and 0円, Enrico Colombini
- Re: io:lines() and 0円, steve donovan
- Re: io:lines() and 0円, René Rebe
- Re: io:lines() and 0円, Craig Barnes
- Re: io:lines() and 0円, René Rebe
- Re: io:lines() and 0円, Sean Conner
- Re: io:lines() and 0円, René Rebe
- Re: io:lines() and 0円, Tim Hill
- Re: io:lines() and 0円, Dirk Laurie
- Re: io:lines() and 0円, Andrew Starks
- Re: io:lines() and 0円, Dirk Laurie
- Re: io:lines() and 0円, Tim Hill
- Re: io:lines() and 0円, Dirk Laurie
- Re: io:lines() and 0円, Petite Abeille
- Re: io:lines() and 0円, Tim Hill
- Re: io:lines() and 0円, Petite Abeille